SQL injection hacks have gone mainstream, probably thanks to the rampaging activities of kids in Guy Fawkes masks. Unfortunately, security hasn’t been keeping up… that a full third of web applications are still vulnerable to this comparatively simple technique is probably one of the reasons it’s still so popular.
In a larger sense, it also turns out the general awareness that security is more important hasn’t actually translated into better secured software.
We therefore have a counterpoint to the previous points on security awareness training: while teaching users to be secure is important, clearly we also need the people building the systems to think a little more about security. It’s a false dichotomy; rather than choosing one or the other, we need both.
“Research suggests there will be a rise in everyday hackers. A simple Google search for “SQL injection hack” provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities.
The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw.
Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks.
Despite significant improvements in awareness of the importance of securing software, we are not seeing the dramatic decreases in exploitable coding flaws that should be expected,” said Chris Eng, vice president of research, Veracode.
“For each customer, development team or application that has become more secure, there are an equal number that have not. Veracode’s 2013 State of Software Security Research Report provides organizations with ways to reduce the success of potential attacks on company infrastructure by understanding the threat to the application layer and outlines the implications of these trends if organizations continue on their current paths,” Eng added.
The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing. […]
Veracode also predicts:
Average CISO tenure will continue to decline.
A decrease in job satisfaction/higher turn-over for security professionals.
Default encryption, not ”opt-in” will become the norm for mobile applications.”