Agencies CISA and FBI Call for Intensified Action to Eradicate Persisting SQL Injection Vulnerabilities

Agencies CISA and FBI Call for Intensified Action to Eradicate Persisting SQL Injection Vulnerabilities

In a significant move, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly issued a "secure-by-design" alert on March 25, 2023. The alert emphasised the urgent need for technology manufacturers to eliminate SQL injection (SQLi) vulnerabilities, a known class of vulnerabilities that have been understood for decades.

The alert was issued in response to an SQLi vulnerability exploited last year in MOVEit file transfer software, developed by Progress. The exploitation resulted in data exfiltration from thousands of MOVEit corporate clients, impacting the personal details of tens of millions of downstream customers. The Clop ransomware gang is thought to have made up to $100 million from the exploitation of this vulnerability.

The alert urges technology vendors to take ownership of customer security outcomes, embrace transparency and accountability, and realign business goals toward secure-by-design software development. To achieve this, the alert suggests three guiding principles:

1. Taking ownership of customer security outcomes: This principle encourages technology manufacturers to prioritise customer security in their product development and to proactively address vulnerabilities.
2. Embracing transparency and accountability: The second principle emphasises the importance of ensuring that Common Vulnerabilities and Exposures (CVE) records are correct and complete, documenting the root causes of vulnerabilities, and working towards eliminating entire classes of vulnerability.
3. Realising business goals toward secure-by-design software development: The third principle suggests making the right investments and building incentive structures to realign business goals toward secure-by-design software development, which could ultimately help reduce financial and productivity costs as well as complexity.

The alert also advises senior executives at technology manufacturing companies to conduct formal code reviews to determine SQLi vulnerabilities. If SQLi vulnerabilities are found, the alert advises immediate implementation of mitigations.

The first principle encourages the use of "prepared statements with parametrized queries" as a standard practice in code reviews. This practice can significantly reduce the risk of SQLi attacks, which can result in theft of sensitive data, tampering with, deletion, or rendering information unavailable in a database.

The alert comes at a time when SQLi attacks continue to pose a significant threat to organisations worldwide. The alert emphasises that software manufacturers continue to develop products with SQLi vulnerabilities, putting customers at risk. The alert serves as a reminder to all technology manufacturers to prioritise security in their product development and to take proactive measures to eliminate SQLi vulnerabilities.

Read also:

• Peptide YY (PYY): Exploring its Role in Appetite Suppression, Intestinal Health, and Cognitive Links
• House Infernos: Deadly Hazards Surpassing the Flames
• Rare Genetic Disease Affecting a Child: Lend a Hand to Those in Need
• Aspergillosis: Recognizing Symptoms, Treatment Methods, and Knowing When Medical Attention is Required