Removing Vulnerabilities in SQL Code

by Leonardo S
The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program.

After learning about how SQL statements work, I felt that this article was appropriate.  Anyone planning to have a future as a database administrator definitely needs to know how to prevent these kinds of attacks.  This article would mainly help those writing java code that interacts with a database.  However, it still provides insight in the thought process involved in stopping injection attacks.  Taking away the control and limiting the options given to the attacker is a good way to thwart attacks.

Last week I wrote about hackers congregating online in order to spread information about how to commit SQL injection attacks.  After writing that, I felt compelled to learn how to prevent these attacks.  This led me to picking this article.  I have used prepared statements in my java code before but I never realized that they could be used as an attack prevention method.

 

Thomas, S. Williams, L. (2007). Using Automated Fix Generation to Secure SQL Statements. Software Engineering for Secure Systems, 2007. SESS ’07: ICSE Workshops 2007. Third International Workshop on. 1 (1), 9.

3 thoughts on “Removing Vulnerabilities in SQL Code

  • November 11, 2012 at 8:41 pm
    Permalink

    Very interesting article, Similar to mine it talks about injections. I see how in your article they are trying to remove the vulnerabilities while in my article they purposely create vulnerabilities to bait the hackers so they can study their attacks. If you are interested in learning more about that i suggest you check out the article i blogged about.

  • November 11, 2012 at 9:01 pm
    Permalink

    Great article. Another common practice to help prevent SQL injection attacks is to “sanitize” input data. Since most “hackers” will likely try user input web forms first as a vulnerability test, sanitizing the input data will at least close some of the loopholes.

  • November 11, 2012 at 9:16 pm
    Permalink

    Good read, I also did similar topic as yours. Patch your SQL server regularly can be also a way to prevent attack. Even though you prepared very well against SQL injection, if your underlying software (database/operating system) have vulnerabilities, then your effort would become meaningless.

Comments are closed.