It's been a rough week for security companies, especially for their web masters. A Romanian hacking group decided to embarrass as many as possible by identifying SQL injection (SQLi) flaws in public facing websites and Kaspersky, F-Secure and Bit-Defender (actually a reseller) all fell victim to the attacks. Now SQLi is far from a new issue and it's widely accepted that pre-auth SQLi vulnerabilities are critical flaws that require immediate attention. Despite this, we see no shortage of SQLi and it is increasingly becoming a favorite tool for botnet authors, who use such vulnerabilities to inject content into otherwise legitimate web pages in order to redirect browser traffic. I recently commented on the volume of such attacks that we're seeing and stepped through a specific example.
I spend most of my time worrying about emerging threats - the risks that we'll face in the months and years ahead. However, from a business perspective, greater damage comes from current, widespread attacks and companies rightly so, dedicate the majority of security resources to combating the 'clear and present danger' which they face. The events of this past week caused to to ponder how we're doing as an industry in combating what is now a mature and well understood vulnerability - SQLi.
Unfortunately, web application security statistics are somewhat hard to come by. The best come from Whitehat Security, which generally publishes an overview of what they're seeing from scanning client websites. They publish these reports a couple of times a year, so I dug up all of their statistics dating back to November 2006. Sadly, as can be seen is the Whitehat chart, progress appears to be relatively flat. The Whitehat statistics shed light on the likelihood that a particular vulnerability will exist on a given website which they review. We can see that over the past 2+ years, on average, their is a 17 1/3% likelihood of discovering a SQLi vulnerability on any given site. That's truly frightening and while it helps to explain why such vulnerabilities are so prevalent, it doesn't explain why they aren't going away.
I also pulled statistics from a 2007 survey conducted by the Web Application Security Consortium. These statistics provide a consolidated view from eight separate security services vendors. This time around, we see that approximately 1/4 of sites scanned revealed SQLi vulnerabilities - even worse.
The question we need to ask ourselves is why are the statistics not improving? In my opinion, while the security industry is getting better at detecting and patching such issues and businesses are better understanding the risks associated with mature vulnerabilities such as SQLi, the population of new developers and web applications is growing at an even faster pace. Who is a web application developer today? Thanks to point and click tools, just about anyone can be a web application developer - but that doesn't mean that they're a good developer or one that understands and implements secure coding practices. We've struggled for a long time to educate developers about security and while such initiatives are important, they will never be enough. Education alone will never succeed in dropping the statistics included in this blog because the vast majority of 'developers' will never receive such training. The majority of developers don't have a Computer Science degree and they may not even get paid to develop. As such, vulnerability statistics will only begin to drop once protections are built into the architectures of the 'point and click' development tools, implementing security by default. Fortunately, we have started to see vendors take such steps. Only when the 'every man' developer can be protected from attack, without security knowledge will we truly see a drop in vulnerability statistics.