Of 300,000 attack campaigns that have occurred globally over the past 30 days, around a quarter were targeting SQL Injection flaws.
According to Imperva, 24.6 per cent% of all attacks were SQLi attack focused. Barry Shteiman, director of security strategy at Imperva, said that SQL Injection is far from a problem of the past, it is still easy to exploit and an often used attack vector to steal information, and often does not require advanced technical skills to perform.
“In fact, SQLi is so effective that advanced attackers are building automated attack botnets using SQLi automation tools to either break into or onboard new zombies to their botnet,” he said. “We know that SQLi isn’t going anywhere anytime soon, and web application attacks are a real threat that can cost upwards of $200,000 to manage. Education and deploying the necessary mitigation tactics to prevent an attack should be top of mind for everyone.”
The recent NTT 2014 GTIR report revealed that the cost for a “minor” SQL injection attack exceeded $196,000, while an article published by Arstechnica revealed that the US Navy’s “Smart Web Move” databasewas accessed by exploiting an SQL Injection flaw.
Rob Sobers, director at Varonis, said that the tools are out there to detect SQL injection, but said that it is really up to businesses to take the initiative to discover and fix their SQL injection vulnerabilities.
Stephen Coty, chief security evangelist at Alert Logic, said: “SQL Injection has been around for decades and will continue to be as long as there are vulnerable websites and malicious actors willing to exploit them.
“SQLi is effective because people do not have a proper software development lifecycle with security injected into it. Proper coding practices and proactive scanning of developed code is how you are able to protect yourself from SQL injection.”