Removing Vulnerabilities in SQL Code{3}


The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program.

After learning about how SQL statements work, I felt that this article was appropriate.  Anyone planning to have a future as a database administrator definitely needs to know how to prevent these kinds of attacks.  This article would mainly help those writing java code that interacts with a database.  However, it still provides insight in the thought process involved in stopping injection attacks.  Taking away the control and limiting the options given to the attacker is a good way to thwart attacks.

Last week I wrote about hackers congregating online in order to spread information about how to commit SQL injection attacks.  After writing that, I felt compelled to learn how to prevent these attacks.  This led me to picking this article.  I have used prepared statements in my java code before but I never realized that they could be used as an attack prevention method.

 

Thomas, S. Williams, L. (2007). Using Automated Fix Generation to Secure SQL Statements. Software Engineering for Secure Systems, 2007. SESS ’07: ICSE Workshops 2007. Third International Workshop on. 1 (1), 9.