Hello, Guest!

Cybersecurity

SQL Injection Persists as Web Security Vulnerability, CISA-FBI Advisory Warns

Cyberthreat alert

SQL Injection Persists as Web Security Vulnerability, CISA-FBI Advisory Warns

A joint alert from the Cybersecurity and Infrastructure Security Agency and the FBI urged technology manufacturers to conduct formal evaluations of their software products to eliminate security weaknesses arising from structured query language injection

The agencies released the advisory, “Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software,” following a recent SQLi attack on a managed file transfer application that hit thousands of organizations. Many customers remain at risk from the vulnerabilities despite the extensive SQLi documentation and accessibility of mitigation methods, CISA said Monday.

The advisory pointed out that threat actors initiate SQLi attacks by inserting maliciously crafted structured SQL into database parameters. The injection can enable the execution of unintended SQL commands, including exfiltration, manipulation or deletion of stored data.

One way for software developers to prevent SQLi exploitation is through the use of parameterized queries with statements designed to separate user-supplied data from the SQL code, according to the advisory. It also encouraged manufacturers’ transparency in product vulnerability disclosures to customers through the CVE program.

Potomac Officers Club Logo
Become a Potomac Officer Club Insider
Sign up for our weekly email & get exclusive event, and speaker updates, and find networking opportunities to connect with GovCon decision makers.

Category: Cybersecurity