Click here to receive your FREE subscription to Campus Technology
News
Web Developers Left Holding the Bag on SQL Injection Attacks
5/1/2008
Microsoft is claiming that an injection attack vulnerability discovered late last week and made public this week related to the popular business database application SQL, is not the company's fault but may lie with lax Web developers.
"The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," wrote Bill Sisk, a communications manager at Microsoft, in a blog post late Friday night. "SQL injection attacks enable malicious users to execute commands in an application's database."
Sisk wrote further that to stave off such attacks against the SQL app, developers should "follow secure coding practices," which to some observers implied that many Web developers had not been employing such methods.
Whatever the case may be, the continued delicate nature of security around SQL underscores what IT security pros have been saying for the last 12 months: rather than the operating system, it's all about protecting the applications that sit on it and by extension the data contained therein.
Similarly the industry's database giant, Oracle chimed in on the subject on Monday when it identified similar vulnerabilities affecting its enterprise resource planning and database programs. The problem was described by Eric Maurice, manager of Oracle's Global Technology Unit, in a blog post on Monday.
"In simple terms, SQL injection attacks are designed to leverage improper coding of database-powered applications that, in the absence of proper input validation, allow a malicious attacker to insert string input to an application," he wrote.
Maurice surmised that in each individual case, the attacker injects or pushes through commands that will be executed on the back-end database. The commands either muck up the front end interface -- what the end user sees on the screen -- or make the data unusable and perhaps even crash the system.
"The consequences of successful SQL injections can be severe," he wrote.
Identifying the problem as a "code issue" is the easy part, but fixing it won't be a cakewalk for developers, according to security experts and software company officials.
"These attacks really show the need for properly securing the SQL Server and for following secure SQL coding techniques," said Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "Unfortunately, secure SQL coding techniques are not for the faint of heart. Microsoft and others provide guidance on how to code against these types of attacks. However, it's not a simple set of steps."
The problem lies not with the Web servers or middleware application servers. It's in the custom application code, which varies in any given enterprise and which may connect with multiple applications.
Recommended Reading
- Tiffin U's New Online College to Use Pearson's eCollege for Course Management
Beginning this fall, students in Tiffin University's newest online program, Ivy Bridge College, will use eCollege, a course management system from Pearson, for all of their online courses. The 2,350-student Tiffin U is located in Tiffin, OH and offers both on-campus and online classes. Since 2005, those online courses have been managed through Jenzabar Internet Campus Solution.
- California Community Colleges Adopt SunGard Banner Software
California's Rio Hondo College and Sierra College have selected software from the Banner Unified Digital Campus and other solutions from SunGard Higher Education to help address their growing enrollments and to help improve student retention and services.
- Luidia Releases eBeam Interact 2.1 for Interactive Whiteboards
Luidia has released a new version its eBeam software for use with classroom-based interactive projection environments. eBeam Interact 2.1 offers both new and upgraded features, including enhanced screen recording and a comprehensive online image gallery, as well as the company's Scrapbook Image Writer feature.
- McGill U Library Scanning Rare Books with Kirtas
McGill University Library in Montreal will be using a Kirtas Technologies APT BookScan 2400RA to digitize its collections. The company says that the 2400RA is capable of acquiring page images at the rate of 2,400 pages per hour. The library will be working with Ristech, a Canadian reseller, to implement the digitization solution.
- Ball State U Web Sites Now Managed with Sitecore
Ball State University in Muncie, IN has gone public regarding its deployment of a Web site content management system from Sitecore. Ball State chose Sitecore's software to revamp its 220-plus sites, integrating common new media applications and garnering a next-generation user experience that has won several awards from education and new media marketing organizations. Now, Ball State maintains uniformity across all university Web sites and said it has enhanced its recruiting efforts through the site's new look and interface.
- Bio-Key Launches Emergency Alert Platforms for Schools
Bio-Key International has announced the release of two new emergency alert and management solutions for the education market. MobileSRO is designed specifically for the K-12 environment, while MobileCampus caters to higher education and other campus-based organizations.
