Does SQL injection still work 2021?

blog + secure coding Z. Oualid todayJune 3, 2021

Background
share close

Every time I do a course about penetration testing or secure coding, the most common question I get from my student is for example, Does SQL injection still work 2021?

SQL injection still works in 2021 and it will probably still working at least for the next 5 years. In fact, this is still working mainly because developers are still not well educated about information security vulnerabilities.

If you are interested in understanding why this vulnerability still exists until now, just keep reading.

Reasons why SQL injection still working in 2021?

Not much trained Developers about secure coding

When dealing with cybersecurity, the most important thing that plays a big role in producing a secure or vulnerable application is education. You should know that even if you put the most powerful security systems and tools to scan a developer’s source code they will still produce vulnerable code if they are not well educated. This is very normal, as making mistakes is part of human nature.

Most software development companies adopt what we call agile methods. These methods are used to produce as fast as possible the first version of their product. Therefore, this phase of training especially on making secure codes is not taken seriously and in most cases not performed at all.

Not using code vulnerability scanners

Adopting a Secure Development Lifecycle means, integrating security in every aspect of the development process starting from requirement definition to integration and maintaining. However, doing this increases the development time, which means higher costs for developing the “same” application.

The security checks can be automated at a certain level with limitations. In addition, there are some tools that can be used at different levels of the development process to reduce the amount of work security experts would do.

Unfortunately, not many companies use those tools in their development. One of the most common reasons is the cost of such tools.

Also, this is comprehensive as most of the modern and effective code scanners, use AI technology to reduce the number of false-positive and to find the deepest vulnerabilities.

Not all technologies are supported by code vulnerability scanners

Software development techniques and technologies are changing every day. In addition, a lot of them are created every day with a completely different concept and syntax. Therefore, and unfortunately, the AI technology in this field is not that advanced to automatically understand the new concepts and technologies.

This means that it takes time for the tool vendor to update their tools and integrate those new technologies.

This is another reason why many companies do not use source code security scanners. Even if I do not totally agree with this, as at least a black box vulnerability scanner should be used.

Not performing penetration testing at the end of development lifecycle

One of the most important tasks in the secure development life cycle is performing a penetration test at the end of the development process. Unfortunately, penetration testing is still considered a luxury job that only the best and biggest solutions in the world should do. This is totally incorrect, this as important task as the application functionality’s usual tests.

A lot of developers think that penetration testing is something made to judge their work. This is also one of the reasons why they don’t like to perform a penetration test and I totally understand this feeling. However, this is really not the reason why penetration testing is performed.

Information technology is a vast field and for sure, no one knows everything. Therefore, trust me there is a lot of things that you know about Software development that the penetration tester does not know.

When a penetration test is performed, it is only to help to make the application security level better.

What is the real impact of an SQL injection?

I really enjoyed asking this question to my student each time I do a course about secure development. I mean, I really like to see how far the human imagination could go. Unfortunately, it is very rare to find someone that can think outside the box and tells me that the impact could be as bad as taking control over the whole hosting server.

Yes, you heard me taking control over the whole hosting server. Here is a scenario where an SQL injection vulnerability could have such an impact.

Let’s say for example that you have a website developed by ASP.NET, and that this website store his data in an SQL database managed by SQLserver DBMS.

  1. Having an SQL injection means you have full control over what SQL request you can execute.
  2. You should know that in SQLserver there is a special function in the SQL language that give DB users the ability to run System commands
  3. Which means executing any system command.
  4. In addition, most of the time SQL Server is started by administrator privileges, and the SQL function run commands with the SQL server privileges
  5. Which means full control over the hosting server.

How can we stop SQL injection from existing?

Training Developers on secure coding

Training your developers about the most common vulnerabilities that they could make in their source code is critical. The more your developers are aware of the impact of the vulnerabilities they are making, the more likely to start avoiding them.

Avoid vulnerabilities at the development level is the best way to reduce the time needed for penetration tester and security expert to find them.

You should know that application vulnerabilities are in general all the same, the only difference is the code syntax that leads to this vulnerability. Therefore, training them about common vulnerabilities concepts and how they can avoid them in one development technology is sufficient as a beginning.

For example, you can train them about OWASP TOP 10 vulnerabilities at least in the beginning and when they get good at it you can start to expand to other more advanced courses.

Adopting a Secure development lifecycle

A secure development lifecycle is a concept that integrates security in every step of the software development life cycle, starting from the requirement definition till the implementation and maintenance.

Fortunately, in the last few years, many companies are starting to think seriously about adopting a secure development lifecycle. Some of them get interested in this because they have seen and understand how important and how beneficial it is for their business. Other where forced by their clients to do it.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post
dynamic application security testing DAST

todayMay 31, 2021

close

blog Z. Oualid

DAST vs Pentest in DevSecOps

One of the most confusing systems in the DevSecOps methodology is Dynamic application security testing (DAST). Many people I’ve met think are basically confused between DAST penetration testing and either ...


Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *