Sunday, October 6, 2013

Sql Injection, OWASP AppSec 2013, Free Training, Published Bad Code

Since 2003, SQL injections have remained in the top 10 list of CVE (Common Vulnerabilities and Exposures dictionary) vulnerabilities. Injection vulnerabilities is the OWASP (Open Web Application Security Project) number one vulnerability. 

The Verizon Business Data Breach Investigations Report 2013, SQL Injection was identified as the single largest attack vector responsible for data theft. The Verizon Business Data Breach reported, “60% of SQL injection attacks in the 2011 dataset were single-event incidents, meaning they exfiltrated data (or otherwise caused an incident) in the initial compromise and didn’t continue beyond that. Single-event incidents are often over and done in a matter of seconds or even milliseconds.”

Yet remarkable SQL injection is one of the low hanging fruits that can be resolved without much effort by any organization. So how is it that we still have SQL injection as a top ten vulnerability after 14 years; developer training, need to evangelize IT management, IT tools, code reviews? All of these can help in reducing the SQL injection. This blog I am going over some great resources for developer training.

Invest in your developers training. The payback is worth it. 

**APPSEC USA 2013** is a great place for developers to get together to learn how to defend their applications. This year APPSEC USA 2013 is in New York, November 18-21.

Jim Manico , VP of Security Architecture at WhiteHat Security and Board member of OWASP, gave a shout out to SafeCode is a very well funded non-profit secure coding organization. They are in the process of releasing a large inventory of secure coding training that is fairly high quality.
Check it out.

**Published example demo code**
But please be aware not everything out there is of the quality that it should be. Code Magazine – A leading independent developer publication that has a good emphasis on .Net development had two articles in its May/June 2013 issue, which showed examples of how SQL injection creeps into applications. Both authors should know better even for a demo article not to use dynamic SQL.

The first article “Creating Collections of Entity Objects” show sql statement. 

   1:  da = New SqlDataAdapter(“SELECT * FROM Product”, _
   2:      “Server=Localhost;Database=Sandbox; Integrated Security=Yes”)

Not good at all. I can just see someone reading this article downloading the code and making it work for his or her needs and adding a software vulnerability that a cyber criminal can exploit. The average data breach cost any organization about $300.00 per record. TJ Max’s data breach cost exceeded over $250 million in 2007. 

A quick fix, 

   1:  SqlDataAdapter myCommand = new SqlDataAdapter("GetProductsStoredProcedure”,
   2:  myConnection);

The next article “Creating a Robust Web Application with PHP and CodeIgniter” in this example we read things like…

   1:  strQuery = “INSERT INTO logs “& _
   2:  “(custername, cevent, computer) “ _
   3:  Values (‘” & strUserName & “’,’” _
   4:  & strEvent & “’, ‘” & _
   5:  strComputerName & “’)”

However we should have read code like this from the author.

   1:  $name = $_GET['username'];
   2:  $event = $_GET['event'];
   3:  $computerName = $_GET['ComputerName'];
   6:  if ($stmt = $mysqli->prepare("INSERT INTO logs (custername,cevent,computer) VALUES (?, ?,?)")) {
   7:  $stmt->bind_param("ss", $name, $event, $computerName); // Bind the variables to the parameter as strings.
   8:  $stmt->execute(); // Execute the statement.
   9:  $stmt->close(); // Close the prepared statement.}

Don’t forget about another great resource OWASP has Cheat Sheets.

SQL-injection Infographic
 SQL Injection Tutorial Infographic