Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is SQL injection really the guilty party in software application vulnerabilities?

SQL injection is thought to be a major cause of Web vulnerabilities in software applications. Vulnerability scanners have made big business out of what security expert Kevin Beaver says are relatively small concerns.

Is SQL injection as big a problem as the vulnerability scanner vendors and other product/service companies say it is?

The vulnerability scanning vendors get raw data on the number of SQL injection flaws that are uncovered. If you...

just look at these numbers and not take authentication, user roles, and other contextual information into account, then yes you'd think the sky is falling. That said, I find lots of SQL injection flaws that are not exploitable given the context of the vulnerability. Many are false positives.

In over 10 years of testing Web applications using what I believe are some of the best tools available, I've only come across two situations where SQL injection was actually exploitable and truly meant something to the business. One was exploitable via an unauthenticated user and the other by trusted user who were logged in. I see many, many more issues with cross-site scripting, login mechanisms, and application logic that, in many cases, can be just as detrimental as SQL injection.

Here are some articles that might interest you while we're on the topic of SQL injection issues:

This was last published in December 2009

Dig Deeper on Software Security Test Best Practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.