Developers encouraged to eradicate SQL injection security flaws in software

Developers encouraged to eradicate SQL injection security flaws in software

In a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, software manufacturers are being urged to take immediate steps to eliminate SQL injection vulnerabilities from their products. These vulnerabilities played a significant role in the widespread attacks linked to MOVEit file transfer software in 2023, underscoring the importance of the issue.

According to the guidance, software manufacturers can eliminate SQL injection vulnerabilities by designing products that systematically prevent the inclusion of user-provided input in SQL query strings. This can be achieved through the consistent use of parameterized queries (prepared statements), which keep user input strictly separate from SQL commands.

The CISA and FBI's Secure by Design initiative recommends several key measures to achieve this. These include:

1. Consistent enforcement of parameterized queries: This is the most effective way to prevent SQL injection vulnerabilities by ensuring user inputs are never directly concatenated into SQL commands.
2. Use of memory-safe programming languages or protective hardware: To reduce vulnerabilities, manufacturers should develop software in memory-safe languages, which help prevent related memory safety issues that can compound injection risks.
3. Avoiding dangerous default configurations: For example, eliminating default passwords and requiring unique passwords on installation reduce attack surfaces that can amplify damage from injection flaws.
4. Patching known exploited vulnerabilities: Manufacturers should timely patch known SQL injection vulnerabilities before deployment and provide free, prompt patches to customers if new issues arise post-release.
5. Security scanning of open-source dependencies: Conduct routine vulnerability assessments on incorporated libraries to detect and fix injection risks arising through third-party code.
6. Automating testing for SQL injection in the build pipeline: Implement automated scanning and testing tools during software development to catch injection vulnerabilities before production deployment.
7. Applying the principle of least privilege: Restrict database user privileges so that even if SQL injection occurs, attackers’ impact is limited by tightly scoped access controls.

These recommendations align with those of the Open Web Application Security Project (OWASP), emphasizing avoidance of string concatenation for SQL commands, input validation, defense in depth, and use of APIs that separate commands from data to prevent SQL injection attacks.

The evolving role of Chief Information Security Officers (CISOs) now includes providing insights into whether their organizations are potential targets for cyber attacks and advocating for secure software and hardware. Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, asking the question: Are we a target?

Spencer McIntyre, security research manager and head of Metasploit development at Rapid7, suggests that libraries are readily available to support the pattern CISA suggests for eliminating SQL injection vulnerabilities. However, he notes that what may be reasonable for security leaders may not be reasonable for all software producers.

Under the Biden administration's national cybersecurity strategy, customers should not have to search for hidden defects or change configurations after a product has been shipped and installed. This strategy aligns with the CISA and FBI's call for manufacturers to build SQL injection prevention into product architecture.

In conclusion, software manufacturers are being urged to take proactive measures to eliminate SQL injection vulnerabilities from their products. By enforcing parameterized queries, developing in memory-safe environments, managing credentials securely, patching proactively, and automating security testing and vulnerability management processes, manufacturers can significantly reduce the risk of SQL injection attacks.

1. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI's guidance encourages software manufacturers to employ parameterized queries to systematically prevent SQL injection vulnerabilities in their products, as this keeps user input strictly separate from SQL commands.
2. To adhere to the CISA and FBI's recommended measures for SQL injection prevention, companies should not only enforce parameterized queries but also consider other strategies, such as using memory-safe programming languages, avoiding dangerous default configurations, patching known vulnerabilities, and automating testing for SQL injection in their build pipelines.

Read also: