SQL Injections are like digital cockroaches
Every 3 years we expect a new report generated by OWASP showing which vulnerabilities are most present on the Internet based on data from previous years.
Two things are almost certain.
The first is that to identify the 10 vulnerabilities we will have some very debatable points, as there is always a good discussion about which vulnerabilities should be added or removed.
Second is that, almost certainly, the first place in the list of the 10 most present vulnerabilities will be occupied by “Injection”, something that has been happening in the last 3 reports.
Some even say that in the event of a nuclear war, two things are certain. The first is that cockroaches will survive, and the second is that the bomb launching system certainly has an “Injection” vulnerability in its code.
SQL Injection and OWASP Top 10
Leaving the jokes aside, I am still amazed that after 15 years of the OWASP report, since the first report was released in 2004, we still have this vulnerability among the most important of the web application scenario.
If we draw a chronology we will see that the first time the report appeared was in 2004, with injection already in sixth position. In the following report (2007) it was already in second place and so it continued to evolve, reaching the first place in the 2010 report, where it has not left this position until today.
Web Application is the focus
There are several reports that throughout the year, and especially in the final months of the year, try to show us a scenario of what happened during this period.
Verizon annually conducts an assessment of best practices and the most reported vulnerabilities, similar to what happens at OWASP.
This year we were told that even with all the improvements in development processes and other practices we still have a large volume of attacks against web applications.
This single fact alone should not give us much information, since today the vast majority of applications are web and the vast majority of companies have their core focused on this type of application.
But what is striking is that even with all this data and information, we still have a lot of problems with applications, the biggest one being Injection vulnerabilities, and within this category SQL Injection.
SQLi & LFI
Another important report is released annually by Akamai. In its report that deals exclusively with Web Attacks and Gaming Abuses, we can see that as much as the vulnerability scenario is large, most attacks are focused on just two categories SQLi and Local File Inclusion (LFI), both representing 89% of attacks.
This in a very cool analysis of the numbers shows us that if we were careful and careful about our codes, looking only at these two categories, we would have a large part of the mitigated vulnerabilities.
Another worrying fact is shown in the Veracode report, which in its 10th volume of the report shows us that in addition to increasing vulnerability numbers, we also have an increased time between discovery and remediation.
“When Veracode published Volume 1 of the State of Software Security Report, the average number of days organizations took to fix flaws was 59 days. In Volume 10, that average is nearly three times higher at 171 days. ”
When the first report was released, the average time between discovery and correction was 59 days, which changed to this last report, showing that this number now stands at 171 days between discovery and correction.
What the numbers tell
Well, what they show us is that we are losing the race, more and more automated tools and human creativity are gaining ground in the field of attack.
By contrast, we still have the old power dispute between two of the most important areas in business today. As we put in our article talking about it.
The amount of SQLi vulnerabilities reported shows us something far more fundamental.
We believe that above all this amount and the long-term presence of these vulnerabilities shows us that we are failing to pass on knowledge to our developers.
We need to structure knowledge acquisition processes through training and the retention of the knowledge generated in the vulnerability management process.
In addition to improving the knowledge acquisition process, we need to be strong in communicating development and security teams.
This is one of the main issues we encounter, poor communication affects the resolution of vulnerabilities in our applications.
SQLi are “harmless”
Even with all this data and all these numbers we still find development and security professionals who do not understand how critical the vulnerabilities brought by OWASP TOP 10 are.
They do not understand the relationship of these vulnerabilities to much more critical ones, failing to realize that often these “simpler” vulnerabilities are used as a starting point for more complex and dangerous exploits.
AppSec professionals are aware of this and are increasingly working to improve the scenario. After all, this is one of their core skills that makes them such a valuable team resource. However, they are often hindered by several factors.
We should also realize that for every problem, there is a process of having to find a solution, implement it, and test it.
Contrary to what many managers imagine, correcting even a minimal vulnerability can take a lot of time and resources.
The amount of vulnerabilities today is immense, and it is simply impossible for any company to defend against them all.
Because in the meantime, developers keep creating features and keep introducing vulnerabilities in the code they write.
Creating Structural Processes
Once we understand that there is a Gap in the knowledge of our developers, we need to create a favorable scenario so that they can narrow this gap.
The SQLi vulnerabilities are just a reflection of what we are missing, we need to understand this flaw and its consequences.
We need to seek to create better and more structured processes with integrated code validation processes and better prepared teams.
We hope that companies will understand that investing in training should not be viewed as a necessary requirement just to comply with an audit.
We want to show the market that preparing your team is fundamental and that the result it will bring is much greater than the investment made.
Only few have heard of the OWASP Top 10
As we can see, it is evident that we are missing something when it comes to AppSec.
Huge pressure for short deadlines, lack of proper planning, a non-existent development process and little control over the vulnerability management process. These are some points.
But, let’s not leave the developer aside, we know from experience that few, very few, know or at least have heard of the OWASP TOP 10, knowledge that in our understanding should be basic for those who work with web development.
When we look at the academic side, the scenario is even worse, since almost no institution has in its grid a subject focused on showing the best development practices.
The vast majority of students leave without even knowing the basics of more security-focused development, and this needs to be changed.
On the business side, they have to understand that investing in training is by no means putting resources on a professional who can leave, but they have to understand that this investment will be reversed into better quality development.
The concern is not to waste resources on professionals who can go out but to lose the knowledge gained, but there are other ways to maintain it, and one of them is to ensure that the vulnerabilities identified and the remediation process have been properly addressed and addressed. all steps recorded in one central platform and can be consulted very easily.
So, after all that, what would you wish to do?