Preventing SQL Injection Storm Attacks

“The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible,” informed Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft. “While the attack was a SQL injection attack that attacked and compromised back-end databases courtesy of vulnerable […]

“The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible,” informed Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft. “While the attack was a SQL injection attack that attacked and compromised back-end databases courtesy of vulnerable Web pages, from a user's perspective the real attack was compromised Web pages that serve up malware to attack users through their browsers.” [Read here or here or here or here]

Howard's position is that, since there are no vulnerabilities for vendors to deal with, Microsoft included the best method to ensure database protection is to secure the code as much as possible. According to Howard, Microsoft's Security Development Lifecycle can help bulletproof vulnerable databases by using SQL Parameterized Queries, Stored Procedures, and SQL Execute-only Permission.