Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 2 April, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

ICO warns businesses to fix SQLi flaws

by The Gurus
November 5, 2014
in Editor's News
Share on FacebookShare on Twitter

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against SQL flaws.
 
Pointing at a recent case, where the hotel booking website Worldview Limited was fined £7,500 due to a vulnerability on its website which allowed attackers to access the full payment card details of 3,814 customers, the ICO said that the data was accessed after an attacker exploited a flaw on a page of the Worldview website to access the company’s customer database.
 
The weakness had existed on the website since May 2010, and was only uncovered during a routine update on 28th  June 2013 after attackers had access to the information for ten days.
 
Simon Rice, ICO group manager for technology, said that it may come as a surprise that this type of attack is still allowed to occur. “SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable,” he said. “Worldview Limited failed to do this, allowing the card details of over three thousand customers to be compromised.
 
“Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”
 
Robert Hansen, vice president of WhiteHat Labs, told IT Security Guru that this is interesting, as computer security is one of the few industries that fines the victims of crimes.
 
He said: “I fully agree that SQL Injection is preventable, but it’s also extremely prevalent and can exist for months or years undetected, like it did with the Drupal Core SQLi.  Is it the fault of every user of Drupal or Drupal itself?
 
“The reason it often goes unnoticed is because most companies don’t even bother looking for it in the first place, or refuse to do tests against applications that require an authenticated user for fear of damaging their systems. Often they see applications as ancillary to their main company and unrelated enough that they are not worth checking, which is a dangerous assumption if they are on the same network.”
 
Despite sitting at the top of the OWASP top ten, WhiteHat Security CTO Jeremiah Grossman said that according to its Sentinel statistics, SQLi doesn’t rank in the top ten as far as “likelihood” goes.
 
“Currently SQLi stands at number 14, existing in only 5.9 per cent of the sites we currently test,” he said. “This is not to say that SQLi is a solved problem, but it generally afflicts the older secondary and tertiary company websites, not their primaries.”
 
Hansen said that the problem with fixing flaws like SQLi is that companies often try to do everything by hand, and as a result it might take months or years before they attack each application, by which time the environment has changed significantly due to agile development – because manual testing is extremely unscalable.
 
He said: “Often SQLi is only identifiable as vulnerable if an attacker has access to source code, which is why source code scanning of open source applications is critical; it ensures that there are no obvious identifiable flaws that lay hidden within the code.
 
“The fix for SQLi is not difficult, b
ut the willpower, know-how and scale to find the flaw in the first place is often lacking.”
 
Chris Eng, vice president of security research at Veracode, said that it does not see the prevalence of SQLi declining significantly.
 
“As of 2013 we were seeing at least one instance of SQL injection in 32 per cent of all web applications that Veracode scan,” he said.
 
He said that one problem in many organisations is that even if newer applications are being developed with security in mind, such as by using a rigorous development lifecycle, thorough testing and developer education, there can be hundreds of older applications that may have never been tested which still makes that organisation vulnerable.
 
Eng said: “I do not believe a £500,000 fine proposed by the ICO will be enough to compel organisations to act to ensure they are protected against SQL injection. This amount is a rounding error to a large organisations, who may have hundreds of applications to secure.”

FacebookTweetLinkedIn
Tags: FlawsICOSQLi
ShareTweetShare
Previous Post

Wearable technology "the latest technology that is not putting you in control of your data"

Next Post

Google Glass should cause discussion on privacy and consent

Recent News

Data Privacy Day: Securing your data with a password manager

For Cybersecurity, the Tricks Come More Than Once a Year

March 31, 2023
cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information