August 11, 2015 at 6:36 pm
Article today from the NYT about hackers making off with $1 million:
From the article:
For years, hackers had gained access to Marketwired by using a series of SQL, or Structured Query Language, injections — instructions written in a specific programming language that is used to retrieve and manage information in computer databases. Over two months in 2012, Mr. Turchynov used SQL injections on Marketwired on at least 390 occasions.
I'll skip the Bobby Tables reference -- this is serious theft.
Rich
August 11, 2015 at 7:01 pm
Yup, SQL injection is still serious business and still a pretty sizable problem.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
August 11, 2015 at 7:19 pm
We've known how to stop SQL Injection for over a decade now. I'd be curious to know others thoughts as to why they think that SQL Injection is still so rampant.
I've got my thoughts, but I'd like to see others before I share them.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
August 11, 2015 at 9:18 pm
WayneS (8/11/2015)
We've known how to stop SQL Injection for over a decade now. I'd be curious to know others thoughts as to why they think that SQL Injection is still so rampant.I've got my thoughts, but I'd like to see others before I share them.
I look forward to seeing your thoughts on this Wayne. For myself, I've seen a variety of reasons, all of them familiar:
- Building software and websites with security from the ground up is still probably not the norm. Seems to me that coders want to build functionality first and add some security retroactively. SQL injection vulnerability is bad; combine that hole with the too-common practice of software executing with elevated permissions and you've got a much worse problem.
- There's still a lot of legacy code out there, and I suspect that the more mission-critical the software, the more reluctant management will be to dig deep into the bowels of existing code to expose a potential liability. So even if no one is currently building concatenated SQL queries from unsanitized web inputs (not convinced that's the case, but assume it's true), that still leaves a lot of holes out there in the wild.
- Human nature: I've reported SQL injection vulnerabilities to companies before, large companies doing business on an international scale. I got back a mixture of denial and indifference.
- DBAs? Are we doing the best we could to spread the word, enforce coding standards, perform security scans, etc.?
Rich
August 12, 2015 at 3:00 am
Because people who don't know what they're doing write blog posts/articles showing what little they know (eg login forms with plain text passwords and SQL injection vulnerabilities) and they get 5 star ratings from people who know even less and the code gets copy-pasted into real projects because the developers are cheap, low skill and don't have time/enthusiasm to improve themselves.
</rant>
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
August 12, 2015 at 5:40 am
WayneS (8/11/2015)
We've known how to stop SQL Injection for over a decade now. I'd be curious to know others thoughts as to why they think that SQL Injection is still so rampant.I've got my thoughts, but I'd like to see others before I share them.
Ignorance is number one. Just because you and I have known how to stop SQL Injection for (well) over a decade now, doesn't mean that the word has gotten out. Why do I think this is number one? How come we get at least one question a week on these forums saying "Hey, my database is floating face down in the water and we don't have backups, what do I do to recover it"? Ignorance. For whatever reason, there are tons of people out there that don't read anything, don't learn anything, aren't growing as developers and DBAs and technologists. They learned something once. It was wrong, but it worked. They're done. I don't know how people can be like that, but they are.
Following on ignorance, you also get laziness, misplaced priorities, complaisance (who would hack us?), even active resistance to change (although, link that back up to ignorance again) and probably, in a tiny minority of cases, stupidity. However, the number one issue is, has to be, ignorance.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
August 12, 2015 at 9:37 am
GilaMonster (8/12/2015)
Because people who don't know what they're doing write blog posts/articles showing what little they know (eg login forms with plain text passwords and SQL injection vulnerabilities) and they get 5 star ratings from people who know even less and the code gets copy-pasted into real projects because the developers are cheap, low skill and don't have time/enthusiasm to improve themselves.</rant>
I will add to that. In addition to the low time/enthusiasm on the part of the developer, is the low expectations from management. No requirement/encouragement to improve skillsets. Code it quick and get it out - quality doesn't matter and employees don't matter.
Combine that, and you get wonderfully lazy code.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
August 12, 2015 at 9:41 am
Grant Fritchey (8/12/2015)
Following on ignorance, you also get laziness, misplaced priorities, complaisance (who would hack us?), even active resistance to change (although, link that back up to ignorance again) and probably, in a tiny minority of cases, stupidity. However, the number one issue is, has to be, ignorance.
Sounds like we have a recursive ignorance problem.
Ignorance <----------------------
laziness |
priorities suck |
complaisance |
resistance to change -----
Wash rinse repeat!
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
August 12, 2015 at 11:50 am
SQLRNNR (8/12/2015)
Grant Fritchey (8/12/2015)
Following on ignorance, you also get laziness, misplaced priorities, complaisance (who would hack us?), even active resistance to change (although, link that back up to ignorance again) and probably, in a tiny minority of cases, stupidity. However, the number one issue is, has to be, ignorance.Sounds like we have a recursive ignorance problem.
Ignorance <----------------------
laziness |
priorities suck |
complaisance |
resistance to change -----
Wash rinse repeat!
Actually, you'd be lucky to get either the Wash or the Rinse parts... The Repeat part, is abundant, however...
Steve (aka sgmunson) 🙂 🙂 🙂
Rent Servers for Income (picks and shovels strategy)
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply