CISA and FBI Urge Renewed Effort to Eliminate SQL Injection Flaws

Written by

Two US government bodies have urged technology vendors to eliminate the “unforgivable” class of vulnerabilities known as SQL injection (SQLi).

The “secure-by-design” alert was issued on March 25 by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

It states that the software industry has known how to eliminate SQLi defects at scale for decades. Yet threat actors were able to exploit just such a vulnerability in MOVEit file transfer software from developer Progress last year, to devastating effect.

The Clop ransomware gang is thought to have made up to $100m from the campaign, which resulted in data exfiltration from thousands of MOVEit corporate clients – impacting the personal details of tens of millions of downstream customers.

Read more on SQLi: ResumeLooters Gang Raids Retail and Job Site Data.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the alert noted.

“CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products.”

SQLi attacks succeed because developers fail to treat user-supplied content as potentially malicious, according to CISA. It can result not only in theft of sensitive data but also enable bad actors to tamper with, delete or render information unavailable in a database.

The alert urged technology manufacturers to follow three guiding principles:

  • Take ownership of customer security outcomes by conducting formal code reviews and using “prepared statements with parametrized queries” as a standard practice
  • Embrace “radical” transparency and accountability by ensuring CVE records are correct and complete, documenting the root causes of vulnerabilities, and working towards eliminating entire classes of vulnerability
  • Realign business goals toward secure-by-design software development, including making the right investments and building incentive structures. This could ultimately help reduce financial and productivity costs as well as complexity

What’s hot on Infosecurity Magazine?