Pierluigi Paganini April 18, 2014

A new study conducted by the Ponemon Institute reveals the impact of successfully SQL injection attacks on organizations during the last year.

The Ponemon Institute published a new study titled “The SQL Injection Threat Study“ to understand the reply of organizations to the SQL injection threat.

The study is sponsored by DB Networks, its Chairman and CEO Brett Helm used the following words to describe the inpact of the SQL injection attacks:

“It’s well known that SQL injection attacks are rampant and have proven to be devastating to organization of all sizes. This study delves into both the scope and many of the root causes of SQL injection breaches,“

The analysis reveals that 65% of organizations suffered successfully SQL injection attacks in the last twelve months which were able to evade victims’ defenses.

“We believe this is the first study to survey the risks and remedies regarding SQL injection attacks, and the results are very revealing,“ “It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues.” commented Dr. Larry Ponemon. 

The worrying news is that despite about one-third of believe that their organization has the necessary technology to detect and mitigate the cyber threats, the success rate of SQL injection attacks is too high.

According the Ponemon The SQL Injection Threat Study, 52% of respondents reported to have adopted third-party software to detect the attack but that they haven’t tested it.

49 percent of the respondents revealed that the SQL injection threat represents a serious problem for their company, SQL injection is considered one of the primary caused of data breach.

Cybercrime is adopting techniques even more sophisticated but too many organizations are not aware of principal attack patterns and this consideration makes them more exposed to the cyber attacks.

“Less than half of respondents (46 percent) are familiar with the term Web Application Firewalls (WAF) bypass. Only 39 percent of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.” states the report.

The impact of SQL injection attacks on the organization is very serious, the threat is very insidious and it is hard to detect, breaches required in fact an average of nearly 140 days to discover with an additional 68 days on average needed to remediate.

Reportes highlights are:

• 65% of respondents had experienced SQL injection attacks that successfully evaded their perimeter defenses in the past 12 months
• SQL injection breaches required an average of nearly 140 days to discover with an additional 68 days on average needed to remediates
• Nearly half of respondents (46%) were familiar with the term “WAF Bypass”
• 88% of respondents had a favorable or very favorable opinion of the use of behavioral analysis technology for detecting SQL injection attacks
• 44% utilize professional penetration testers to identify vulnerabilities in their IT systems; but only a third (35%) of those penetration tests were allowed to actually test for SQL injection vulnerabilities

Pierluigi Paganini

(Security Affairs –  Ponemon Institute, SQL injection)