The Price of Ignoring SQL Injection Vulnerabilities

Previous posts have defined SQL Injection attacks and shown how these attacks work against web applications. SQL Injections are nothing to take lightly. They are part of the number one threat defined by OWASP and rank number two on the CWE/SANS Top 25 list.



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

Microsoft confirms critical IE bug, works on fix

suggests using blocking tool, but does not plan to issue emergency patch ... read more ...

The Big Website Guide to a Hacking Attack

Working in IT, one of the most dreaded calls you can receive is the one ... read more ...

Ponemon State of Web Application Security Report

Despite numbers showing that in 86% of all attacks a vulnerability in a Web application ... read more ...

Unfortunately, research has shown that businesses just don’t take web application security seriously enough. For those who continue to ignore vulnerabilities that face web applications, the end result can often be costly. Just ask Montana-based broker-dealer D.A. Davidson & Co. who was ordered to pay $375,000 after the Financial Industry Regulatory Agency (FINRA) found them to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals.

False Hopes

The events that unfolded in this case model what happens when no action is taken. The attack, which occurred on December 25, 2007 was preceded by an audit 18 months earlier that suggested the firm upgrade their computer security. D.A. Davidson & Co. did make some upgrades to their security, their web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed leaving it blank.

I am sure they paid quite a bit of money for the security audit. Code reviews, audits, and penetration tests are quite pricey. As to why they would put out even a minimal amount of money and then ignore all of the suggestions is beyond comprehension, but it is something that happens every day.

Security and Common Sense

The D.A. Davidson & Co. situation, and the many others like it, amaze me. In a society where data is considered a commodity, the warehouses for this high-priced treasure are under constant attack. Yet even knowing this, as D.A. Davidson & Co. clearly did, companies still neglect to do anything to protect their customers’ personal and financial information.

Times are tight right now. Companies find themselves steering clear of projects that have little or no Return on Investment. Unfortunately, they aren’t spending enough to even protect their investments and that is costing them heavily. Sure security solutions may seem costly but to pay over $300,000 to be told you’re vulnerable a second time, well that just doesn’t seem to make much business sense.


Related Articles:

Blog Contributors
110,000 Credit Card Numbers Stolen in Tour Company Web Server Hack
Securing Cloud Data

Please Wait...