The SQL Injection Threat Study

[Aerosol]

Part 1. Introduction

Ponemon Institute is pleased to present the findings of The SQL Injection Threat Study

sponsored by DB Networks. The purpose of this research is to understand how organizations

respond to the SQL injection threat and their awareness about different approaches to managing

this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents

are familiar with core IDS technologies that detect rogue SQL statements on the network that

connect the web application to the database.

SQL injections have been defined as being used to attack data driven applications, in which

malicious SQL statements are inserted into an entry field for execution (e.g. to dump the

database contents to the attacker). SQL injections exploit security vulnerabilities in an

application’s software. SQL injection is most commonly known as an attack vector through public

facing websites but can be used to attack SQL databases in a variety of ways.

The most salient findings are shown below:

? The SQL threat is taken seriously because 65 percent of organizations represented in this

study experienced a SQL injection attack that successfully evaded their perimeter defenses

in the last 12 months.

? Almost half of respondents (49 percent) say the SQL injection threat facing their company is

very significant. On average, respondents believe 42 percent of all data breaches are due, at

least in part, to SQL injections.

? Many organizations are not familiar with the techniques used by cyber criminals. Less than

half of respondents (46 percent) are familiar with the term Web Application Firewalls (WAF)

bypass. Only 39 percent of respondents are very familiar or familiar with the techniques cyber

criminal use to get around WAF perimeter security devices.

? BYOD makes understanding the root causes of an SQL injection attack more difficult. Fiftysix

percent of respondents say determining the root causes of SQL injection is becoming

more difficult because of the trend for employees to use their personally owned mobile

devices (BYOD) in the workplace. Another challenge, according to 41 percent of

respondents, is increasing stealth and/or sophistication of cyber attackers.

? Expertise and the right technologies are critical to preventing SQL injection attacks. While

respondents see the SQL threat as serious, only 31 percent say their organization’s IT

security personnel possess the skills, knowledge and expertise to quickly detect a SQL

injection attack and 34 percent agree that they have the technologies or tools to quickly

detect a SQL injection attack.

? Measures to prevent SQL injection attacks are also lacking. Despite concerns about the

threat, 52 percent do not take such precautions as testing and validating third party software

to ensure it is not vulnerable to SQL injection attack.

? Organizations move to a behavioral analysis solution to combat the SQL injection threat.

Eighty-eight percent of respondents view behavioral analysis either very favorably or

favorably.

Read more: http://www.dbnetworks.com/pdf/ponemon-the-SQL-injection-threat-study.pdf