Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is SQL injection really the guilty party in software application vulnerabilities?

SQL injection is thought to be a major cause of Web vulnerabilities in software applications. Vulnerability scanners have made big business out of what security expert Kevin Beaver says are relatively small concerns.

Is SQL injection as big a problem as the vulnerability scanner vendors and other product/service companies say it is?

The vulnerability scanning vendors get raw data on the number of SQL injection flaws that are uncovered. If you just look at these numbers and not take authentication, user roles, and other contextual information into account, then yes you'd think the sky is falling. That said, I find lots of SQL injection flaws that are not exploitable given the context of the vulnerability. Many are false positives.

In over 10 years of testing Web applications using what I believe are some of the best tools available, I've only come across two situations where SQL injection was actually exploitable and truly meant something to the business. One was exploitable via an unauthenticated user and the other by trusted user who were logged in. I see many, many more issues with cross-site scripting, login mechanisms, and application logic that, in many cases, can be just as detrimental as SQL injection.

Here are some articles that might interest you while we're on the topic of SQL injection issues:

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.