The Price of Ignoring SQL Injection Vulnerabilities

Previous posts have defined SQL Injection attacks and shown how these attacks work against web applications. SQL Injections are nothing to take lightly. They are part of the number one threat defined by OWASP and rank number two on the CWE/SANS Top 25 list.


Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at

Featured Blog Posts

Securing Cloud Data

Cloud computing has raised quite a few questions with IT management, especially when it comes ... read more ...

Top Jordan website back up after hacking

AMMAN — Jordan's most popular news website, Ammonnews, said it was shut down ... read more ...

The Most Vulnerable Programming Languages

Normally, studies of Web application security involves which type of vulnerability is most common or ... read more ...

Unfortunately, research has shown that businesses just don’t take web application security seriously enough. For those who continue to ignore vulnerabilities that face web applications, the end result can often be costly. Just ask Montana-based broker-dealer D.A. Davidson & Co. who was ordered to pay $375,000 after the Financial Industry Regulatory Agency (FINRA) found them to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals.

False Hopes

The events that unfolded in this case model what happens when no action is taken. The attack, which occurred on December 25, 2007 was preceded by an audit 18 months earlier that suggested the firm upgrade their computer security. D.A. Davidson & Co. did make some upgrades to their security, their web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed leaving it blank.

I am sure they paid quite a bit of money for the security audit. Code reviews, audits, and penetration tests are quite pricey. As to why they would put out even a minimal amount of money and then ignore all of the suggestions is beyond comprehension, but it is something that happens every day.

Security and Common Sense

The D.A. Davidson & Co. situation, and the many others like it, amaze me. In a society where data is considered a commodity, the warehouses for this high-priced treasure are under constant attack. Yet even knowing this, as D.A. Davidson & Co. clearly did, companies still neglect to do anything to protect their customers’ personal and financial information.

Times are tight right now. Companies find themselves steering clear of projects that have little or no Return on Investment. Unfortunately, they aren’t spending enough to even protect their investments and that is costing them heavily. Sure security solutions may seem costly but to pay over $300,000 to be told you’re vulnerable a second time, well that just doesn’t seem to make much business sense.

Related Articles:

Ponemon State of Web Application Security Report
The Anatomy of a SQL Injection Attack
Microsoft confirms critical IE bug, works on fix

Please Wait...