The Price of Ignoring SQL Injection Vulnerabilities

Previous posts have defined SQL Injection attacks and shown how these attacks work against web applications. SQL Injections are nothing to take lightly. They are part of the number one threat defined by OWASP and rank number two on the CWE/SANS Top 25 list.



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

Google Codelab

It may seem counterproductive for Google to teach people to think like a cyber criminal ... read more ...

Who is Minding Your Data in the Cloud?

In a recent post titled Data Security Considerations in the Cloud, problems related to who ... read more ...

WikiLeaks, the Mega-D botnet and online privacy led the way in cyber-security news this past week.

... read more ...

Unfortunately, research has shown that businesses just don’t take web application security seriously enough. For those who continue to ignore vulnerabilities that face web applications, the end result can often be costly. Just ask Montana-based broker-dealer D.A. Davidson & Co. who was ordered to pay $375,000 after the Financial Industry Regulatory Agency (FINRA) found them to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals.

False Hopes

The events that unfolded in this case model what happens when no action is taken. The attack, which occurred on December 25, 2007 was preceded by an audit 18 months earlier that suggested the firm upgrade their computer security. D.A. Davidson & Co. did make some upgrades to their security, their web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed leaving it blank.

I am sure they paid quite a bit of money for the security audit. Code reviews, audits, and penetration tests are quite pricey. As to why they would put out even a minimal amount of money and then ignore all of the suggestions is beyond comprehension, but it is something that happens every day.

Security and Common Sense

The D.A. Davidson & Co. situation, and the many others like it, amaze me. In a society where data is considered a commodity, the warehouses for this high-priced treasure are under constant attack. Yet even knowing this, as D.A. Davidson & Co. clearly did, companies still neglect to do anything to protect their customers’ personal and financial information.

Times are tight right now. Companies find themselves steering clear of projects that have little or no Return on Investment. Unfortunately, they aren’t spending enough to even protect their investments and that is costing them heavily. Sure security solutions may seem costly but to pay over $300,000 to be told you’re vulnerable a second time, well that just doesn’t seem to make much business sense.


Related Articles:

OWASP Top 10 2010
110,000 Credit Card Numbers Stolen in Tour Company Web Server Hack
Senior bureaucrats lax on BlackBerry security

Please Wait...