Securing SQL Statements with Automated Fix

by Hoyoung C
In this article, it says that more than 10% of the cyber vulnerabilities are the SQL injection vulnerabilities. The author says that most of the developers are not very experienced; so many SQL developers lack the knowledge in software security. Because they lack the knowledge in security, there are SQL injection vulnerabilities. In this paper, the author suggests as solution for being able to fix the SQL injection vulnerabilities without having to be a security expert at the same time. The method that the author explains is the method that removes SQL injection vulnerabilities from Java by turning the SQL statements into prepared statements. The advantage of prepared statements is that it restricts the input from affecting the statement’s execution. The automated solution to this would give the developers a capability to remove the vulnerable codes with the secure code that is automatically generated.

I think that this is an interesting read and related to class because it talks about the possible fixes for the SQL security vulnerability even without being a security expert. Since many of the students are not experts in SQL and just started learning, I think it would be useful information to know that there are ways to write SQL statements and have it secured even if you are not an expert in SQL and security. The author also talks about the case study they did with the method that they came up with, and said that they were able to remove all the SQL injection vulnerabilities successfully.

Thomas, S.; Williams, L.; , “Using Automated Fix Generation to Secure SQL Statements,” Software Engineering for Secure Systems, 2007. SESS ’07: ICSE Workshops 2007. Third International Workshop on , vol., no., pp.9, 20-26 May 2007
doi: 10.1109/SESS.2007.12