2024-03-26
Secure by Design Alert: SQL Injection Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a Secure by Design alert, which urges software manufacturers eliminate SQL injection vulnerabilities from their products. The alert notes that “the software industry has known how to eliminate these defects at scale for decades,” and urges manufacturers to bake security in from the very start of the development process.
Editor's Note
I always consider SQL Injection the "least necessary" vulnerability. They are easily prevented, and one of the easier vulnerabilities to identify. The critical SQL injection vulnerabilities reported in many critical enterprise products are an indicator of how "Ship Fast" will always beat "Secure by Design". Use announcements of SQL injection vulnerabilities, in particular repeated and critical vulnerabilities that can lead to code execution, as the canary to tell you to run from a vendor.
Johannes Ullrich
We know how to solve most SQL Injections, but there is no reason that this bug should exist. Yet here we are with a developer writing software that concatenates SQL into the parser from the user. This is solvable; let’s solve it.
Moses Frost
CISA began issuing Secure by Design alerts in GFY24. This is the fourth such alert. In the short term, the alerts provide useful secure by design principles for product vendors. In the long term, the alerts can be used to build the case for legal liability claims against product vendors that ship vulnerable products.
Curtis Dukes
Don't get distracted by the term "secure by design," it's a mindset that is going to take culture change, like always making sure you're mitigating SQL Injection and XSS risks, most commonly by sanitizing input. This bulletin is more about building the culture and mindset than about the specific techniques to reduce risks of SQL injection. Take ownership of the needed processes and support them from the top. Don't be the subject of the next vulnerability disclosure.