Why are SQL injections or XSS (cross-site scripting errors) still the biggest problem in application security, particularly Web application security? What tests or processes can we use to reduce this problem?
SQL injection and cross-site scripting (XSS) errors are still the biggest problems in application security because nearly all applications have to deal with the technologies underlying these vulnerabilities -- namely accessing data from relational databases and rendering Web pages. The standard application programming interfaces for accessing these facilities are easy to misuse in ways that have a negative security impact, and, often, organizations do not provide a lot of guidance to developers on how to access the facilities properly.
Many organizations do not have sufficient processes in place to test for cross-site scripting vulnerabilities in a consistent and comprehensive way. The vulnerabilities are easy for attackers to find and then exploit in an automated manner. When you consider all of these facts, it becomes clear why these serious issues have been so hard to eradicate.
To make progress eliminating SQL injection and XSS errors from the applications in your organization, start by knowing and understanding your application portfolio because this makes up your application attack surface. It is impossible to defend an attack surface that you do not know about. Having a comprehensive list of your potential areas of exposure is critical to understanding your defect attack surface. In large, distributed organizations this can be particularly challenging as there are likely multiple teams building and maintaining applications.
Given this understanding, you can start to roll out both proactive and reactive measures to stamp out XSS cross scripting vulnerabilities. Secure development awareness training for developers helps them understand the potential issues. You should not expect this to be sufficient unless you combine it with efforts to make it as hard as possible for developers to make mistakes. This can be done by providing coding standards and APIs that make data manipulation routines impossible to inject and force Web page construction routines to handle proper encoding by default.
Once developers have guidance and the tools to be successful, test applications to make sure that your training and coding standards have been effective. Static analysis -- code or binary scanning -- can be used, but you may need to customize the rule sets based on your coding conventions. Dynamic application scanning can also be effective at finding SQL injection vulnerabilities and cross-site scripting errors. In both cases, the results of automated testing will likely need to be inspected for tuning and the elimination of false positives.
Using a combination of proactive steps to avoid introducing vulnerabilities, as well as reactive steps to identify failures, can be effective to eradicate SQL injection and XSS vulnerabilities from applications. If you apply this consistently across your organization's application portfolio, you can sharply reduce risks associated with having these liabilities exposed in your application portfolio.
This was first published in November 2012