65% of US Organizations Experienced SQL Injection Attacks, Study Finds

DB Networks has published a report called “The SQL Injection Threat Study”

By on April 16th, 2014 19:39 GMT

A new study conducted by the Ponemon Institute on behalf of DB Networks shows that SQL Injection attacks are still problematic.

65% of the 595 US security practitioners who took part in the survey have reported experiencing such attacks in the last 12 months. Unfortunately, on average, it took 140 days to discover a breach, and 68 additional days to remediate the issue.

“We believe this is the first study to survey the risks and remedies regarding SQL injection attacks, and the results are very revealing,” said Ponemon Institute Founder Dr. Larry Ponemon.

“It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues,” Dr. Ponemon added.

“For example, only a third of those surveyed (34 percent) agreed or strongly agreed that their organization presently had the technology or tools to quickly detect SQL injection attacks. And more than half (52 percent) of respondents indicated that they don't test or validate any third party software to ensure it's not vulnerable to SQL injection.”

The study also reveals that 46% of respondents are familiar with the term “WAF [Web Application Firewall) Bypass.” Over half of those who took part in the study said it was becoming increasingly difficult to determine the root of SQL Injection attacks because of the fact that more and more employees used their personal devices for work purposes.

44% claim to be using professional penetration testers to identify vulnerabilities in their systems, but only 35% of them test for SQL Injection. Just over half said that they didn’t test third-party software to see if it was vulnerable to SQL Injection attacks.

Most respondents are in favor of using behavioral analysis technology for detecting SQL Injection attacks. It’s worth noting that behavioral analysis technology is DB Networks’ specialty.

“It's well known that SQL injection attacks are rampant and have proven to be devastating to organization of all sizes. This study delves into both the scope and many of the root causes of SQL injection breaches,” noted Brett Helm, chairman and CEO of DB Networks.

“Signature-based perimeter defenses simply cannot keep up with the sophistication of today's complex SQL injection attacks. It's interesting that this study indicates security professionals are now recognizing this and overwhelmingly had a favorable opinion of applying behavioral analysis technologies to address the SQL injection threat.”

For the complete “The SQL Injection Threat Study,” check out DB Networks’ website.

1 Comment