SQL injection vulnerabilities surge to highest levels in three years

UPDATE: Tuesday, 20 January 2015, 1:10 PT – Jericho from Attrition.org has written an insightful post that essentially debunks the data released by DB Networks. Definitely recommended reading.

After years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to today’s software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that’s more important today than ever before.

DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology, to arrive at its conclusions regarding these troubling software security trends. Last year produced the most SQL vulnerabilities identified since 2011 and 104% more than were identified in 2013.

“Despite the best efforts of project managers, software development nearly always runs headlong into time and cost constraints,” said Dave Rosenberg, CTO of DB Networks. “When the clock is ticking, it seems security testing is among the first tasks to be shunted aside.”

The hope is that these SQL injection vulnerabilities are identified and the software packages patched before hackers can exploit the vulnerability. With the average cost of a data breach approaching $6 million, it’s critical to identify and remediate vulnerabilities as quickly as possible.

The ramifications of a SQL injection vulnerability occurring in a popular software package can be enormous. In October 2014, a SQL injection flaw was identified in the Drupal content management software that affected over a million web sites.

Cybercriminals have probabilities and time on their side – complex applications with large numbers of routines that generate SQL queries present better odds of discovering a flaw, and those looking to exploit a system only need one flaw to accomplish their objectives. They can apply their tools to the problem 24/7 until that flaw is uncovered. Software developers, on the other hand, are tasked with being perfect while still hitting benchmarks and deadlines.

Although it’s far too soon to make a firm prediction, the early data in 2015 indicates the upward trend in SQL injection vulnerabilities is continuing.