diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)

Jun032008

Preventing SQL Injection Storm Attacks

“The malicious SQL payload is very well designed, somewhat database schema agnostic and generic so it could compromise as many database servers as possible,” informed Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft. “While the attack was a SQL injection attack that attacked and compromised back-end databases courtesy of vulnerable Web pages, from a user’s perspective the real attack was compromised Web pages that serve up malware to attack users through their browsers.” [Read here or here or here or here]

Howard’s position is that, since there are no vulnerabilities for vendors to deal with, Microsoft included the best method to ensure database protection is to secure the code as much as possible. According to Howard, Microsoft’s Security Development Lifecycle can help bulletproof vulnerable databases by using SQL Parameterized Queries, Stored Procedures, and SQL Execute-only Permission.

Share This Story, Choose Your Platform!