Verizon has issued an addendum to its 2009 threat report that shows how damaging SQL injection attacks have become in a short period of time. According to the report, SQL injection were used in 19 percent of the cases and accounted for 79 percent of the breached records. We expect SQL injection to be the means of data access in 2010, accounting for as many as 90 percent of all breached records if proper controls are not put in place.
Their report is titled "Data Breaches Getting More Sophisticated", but the reality is that the SQL Injection attacks obeying the 80:20 rule are the result of really "dumb" application development compounded by lax security and missing defenses. The headline should really read "Data Defenses Must Get More Sophisticated".
We are dealing with a quickly evolving threat ecosystem, and companies today need to take measures that assume the hackers will enter the network through the very applications that they have invested in. What provisions do you have in place that will stop the identification and stealing of information? If you can’t answer that question quickly and clearly, you may be in for a difficult 2010.