Priya PatelTLDR:
– CISA and FBI issue joint alert to address SQL injection vulnerabilities
– Secure by Design guidance aims to mitigate the exploitation of SQL injection defects
Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have collaborated to release a joint alert targeting the prevalence of SQL injection vulnerabilities in software products. The new Secure by Design guidance is a response to the recent exploitation of an SQLi defect in the MoveIT file transfer application, highlighting the dangers posed by these vulnerabilities in supply chains.
SQL injection vulnerabilities allow threat actors to inject their own data into SQL commands, enabling them to access sensitive information inside databases through arbitrary queries. Despite the widespread awareness of SQLi vulnerabilities and available mitigations, software manufacturers continue to develop products with this defect, exposing customers to significant risks.
The joint alert emphasizes the critical need to address SQL vulnerabilities, which have been deemed ‘unforgivable’ since 2007. Despite this classification, SQL injection vulnerabilities, such as CWE-89, remain a prevalent class of vulnerability in software products. The Secure by Design guidance aims to curb the exploitation of SQL injection defects and enhance the security of software supply chains.
