Developers advised to eradicate SQL injection weaknesses in software
In a joint alert issued on Monday, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have urged software manufacturers to take immediate action to eliminate SQL injection vulnerabilities. These vulnerabilities, which have been a significant factor in numerous cyber attacks, including the widespread attacks linked to MOVEit file transfer software in 2023, pose a substantial threat to digital security.
The agencies recommend that software manufacturers systematically prevent SQL injection vulnerabilities by consistently enforcing the use of parameterized queries or prepared statements. These tools keep user input separate from executable SQL commands, thus blocking injection attempts. Other recommended steps include avoiding the inclusion of user-provided input directly in SQL query strings, developing software with memory-safe languages or protective hardware, patching known exploited vulnerabilities before product deployment, and conducting regular security scans of open source software dependencies.
Spencer McIntyre, security research manager and head of Metasploit development at Rapid7, emphasizes the importance of libraries that support the pattern CISA suggests for eliminating SQL injection vulnerabilities. He suggests that adopting prepared statements can separate SQL code from user-supplied data, preventing SQL injection vulnerabilities. This would mean that customers do not have to search for hidden defects or change configurations after a product has been shipped and installed into a computer network.
However, McIntyre acknowledges that what is reasonable for security leaders may not be reasonable for all software producers. He notes that migrating to prepared statements generally seems like a reasonable ask, but the software industry has been aware of the risk of SQL injection flaws for decades yet has not taken sufficient steps to remove these defects from software.
CISA officials are pushing for software and hardware manufacturers to make their products secure by design and secure by default as part of the Biden administration's national cybersecurity strategy. The evolving role of CISOs includes better understanding the risk calculus of technology stacks for corporations. Corporate stakeholders are seeking to better understand if their organizations are potential targets.
If SQL injection vulnerabilities are found, the agencies are asking software companies to take immediate steps to eliminate these defects from existing and future software. The cornerstone for eliminating SQL injection vulnerabilities is to never construct SQL queries by concatenating user input directly; instead, use parameterized queries or prepared statements consistently. Complement this by timely patching, secure coding in memory-safe languages, and diligent dependency management as outlined in CISA and FBI joint guidance.
In summary, the urgent call to action from CISA and the FBI underscores the importance of proactive prevention through secure coding practices, patch management, and dependency management in the software industry. By taking these steps, software manufacturers can help protect their customers and the broader digital ecosystem from the threats posed by SQL injection vulnerabilities.
Software manufacturers should consistently enforce the use of parameterized queries or prepared statements to prevent SQL injection vulnerabilities, as these tools keep user input separate from executable SQL commands and block injection attempts. If SQL injection vulnerabilities are found, prompt action should be taken to eliminate these defects from both existing and future software.
