CISA & FBI : Hackers Exploiting SQL Injection Flaws To Hack Servers

CISA and the FBI released the Secure by Design Alert to address SQL injection vulnerabilities in software that affect thousands of organizations.

A persistent class of defects in commercial software solutions is SQL injection, or SQLi, vulnerabilities.

Even though SQL vulnerabilities have been known about and documented for a decade now, and there are workable mitigations available, software manufacturers have persisted in creating products that have this flaw, endangering a large number of users.

Secure by Design refers to how manufacturers design and create products to prevent malicious cyber actors from exploiting flaws.

Customers’ burden with cybersecurity and public risk is decreased by incorporating this mitigation from the start, especially in the design phase and continuing through development, release, and updates.

“SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability. CWE-89 is on top 25 lists for both the most dangerous and stubborn software weaknesses in 2023”, CISA and FBI said in the report.

Specifics Of The SQL Injection Vulnerabilities

When user input is directly injected into a SQL command, an SQL injection vulnerability occurs, enabling threat actors to run arbitrary queries.

Software developers’ neglect of security best practices leads to the combination of user-supplied data with database queries, which is the root cause of SQLi vulnerabilities.

A successful SQLi exploitation can have disastrous consequences since it compromises the availability, confidentiality, and integrity of a database and the data within it.

In particular, malicious cyber actors may be able to take sensitive data, and modify, remove, or render data in a database unavailable due to SQLi vulnerabilities.

How To Eliminate SQL Injection Vulnerabilities

To avoid this kind of vulnerability, developers should utilize prepared statements in parameterized queries to isolate SQL code from user-supplied data while designing and developing software products.

Software developers should mandate the usage of parametrized queries in all of their applications to systematically eliminate SQLi vulnerabilities.

“CISA and the FBI urge senior executives at technology manufacturers to mount a formal review of their code to determine its susceptibility to SQLi compromises and encourage all technology customers to ask their vendors whether they have conducted such a review”, reads the joint alert.

Three Essential Principles For Developing Software That Is Secure By Design

• Take Ownership Of Customer Security Outcomes

It is recommended that software producers implement the common practice of using prepared statements with parameterized queries in software development

Senior executives at software producers must accept responsibility for their customers’ security, beginning with formal code reviews to assess vulnerabilities.

• Embrace Radical Transparency And Accountability

Software makers ought to monitor the types of vulnerabilities linked to their products and notify customers about them through the CVE initiative. Manufacturers have to make sure that all of the information in their CVE records is accurate.

• Build Organizational Structure And Leadership To Achieve These Goals

As a declared company objective, leaders should create the proper incentive programs and make the necessary investments to support security.

Manufacturers are urged by CISA and the FBI to release their own secure by design roadmap as evidence that they are strategically reconsidering their role in ensuring the safety of their consumers, rather than just putting in place tactical safeguards.