Regulator Sounds SQL Injection WarningHotel Booking Site Hack Serves as Preventable Flaw Reminder
The U.K. Information Commissioner's Office has issued a warning to businesses to eliminate SQL injection vulnerabilities from their websites, after fining a hotel booking site for failing to properly secure customer data and payment card information.
Security experts worldwide have long recommended that organizations tap secure software development lifecycle practices to ensure that they're eliminating common flaws - including SQL injection vulnerabilities - from the code that underpins their websites and applications.
Doing so isn't difficult, provided businesses train developers accordingly and emphasize quality code creation over rushing products to market, says former White House cybersecurity czar Howard Schmidt, who's now the executive director of the not-for-profit Software Assurance Forum for Excellence in Code - or SAFECode. But he says no changes will occur until the "C-suite" makes secure coding part of the corporate culture. Otherwise, businesses will be battling SQL injection flaws for years to come.
"Not only do we need to use a secure development process, but legacy code must be scrubbed for these errors, so we will not be talking about this - and other well-known vulnerabilities - 10 years from now," he says.
Currently, however, SQL injection flaws remain too widespread, warns the ICO, which is responsible for enforcing European data privacy rules in the United Kingdom. The regulator this week fined Worldview Limited with a £7,500 ($12,000) after attackers exploited a SQL injection flaw on the company's website, allowing them to access its customer database and steal full payment card details for more than 3,800 customers.
"Although customers' payment details had been encrypted, the means to decrypt the information - known as the decryption key - was stored with the data," the ICO says. "This oversight allowed the attackers to access the customers' full card details, including the three-digit security code needed to authorize payment." The regulator says it would have imposed a £75,000 fine ($120,000) but imposed a lower amount based on the company's "financial situation."
The ICO says the SQL flaw had been present on Worldview's site since May 2010, and was only discovered during an update on June 28, 2013. By that time, however, attackers had already had access to the card data for 10 days.
"It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur," says Simon Rice, the ICO's group manager for technology. "SQL injection attacks are preventable, but organizations need to spend the necessary time and effort to make sure their website isn't vulnerable. Worldview Limited failed to do this."
SQL Injections Flaws Widespread
Despite years of warnings from information security experts about the danger of SQL injection flaws, SQL injection continues to take first place in the top 10 list of the worst Web application vulnerabilities maintained by the Open Web Application Security Project.
SQL injection flaws are so dangerous because they allow attackers to obtain high-value information from Internet-connected databases. Hackers regularly use SQL injection attacks to steal everything from payment card data to access credentials, including e-mail addresses and passwords.
"Organizations must act now to avoid one of the oldest hackers' tricks in the book," Rice says. "If you don't have the expertise in-house, then find someone who does. Otherwise you may be the next organization on the end of an ICO fine and the reputational damage that results from a serious data breach."
Preventing SQL injection flaws isn't difficult, provided organizations devote adequate time and money to fostering secure development lifecycle practices, which include training developers, investing in required toolsets, as well as a management-level commitment to eradicating code flaws.
"Broad adoption of secure software development practices, upgrading legacy applications and educating software engineers about secure software development are the long-term key success factors for securing our applications," says Eric Baize, who leads the product security group at technology giant EMC, and who's also a board member for SAFECode. In particular, he recommends putting in place a secure development program, which includes taking time to review code and ensure that it's free from known errors.
While improving development practices sounds fine in theory, however, secure coding has long been beset by an image problem: it's profoundly unsexy. From a cost standpoint, furthermore, practicing top-notch coding can delay a product or site's "time to market." So many businesses opt to take their chances by shipping products and services as quickly as possible, even if the quality of their code suffers.
But that's short-term thinking, because while code-level flaws are relatively low-cost and easy to eliminate when software is being built, such bugs become far more costly to fix after the code goes live on production systems, as an IBM study proves. If those vulnerabilities get exploited by hackers to steal data, meanwhile, the cost may increase by orders of magnitude.
Baize argues that secure coding needs to become a cornerstone - if not a mandatory ethical requirement - for development training. "Too many colleges and universities are graduating software engineers without teaching them about the software security," he says. "Building engineers must learn fireproofing to graduate, but software engineers can still graduate with no exposure to secure coding, leaving it to their employer to educate them about secure software development."