Is it actually true? SQL injection vulnerabilities surge to highest levels in three years, according to DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology.

Article #1:

“After years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to today’s software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that’s more important today than ever before.”

However there is an interesting and logical rebuttal to this article.

Article #2:

“I can say that they are basically meaningless at this point. Even without their methodology, I am sure someone can trivially reproduce their results and figure out if they abstracted per CVE, or per actual SQLi mentioned. As a recent example, CVE-2014-7137 is a single entry that actually covers 54 distinct SQL injection vulnerabilities. If you count just the CVE candidate versus the vulnerabilities that may be listed within them, your numbers will vary greatly.”

Original article here from Help Net Security: http://www.net-security.org/secworld.php?id=17843

Rebuttal article here from Jericho of Attrition.org: http://blog.osvdb.org/2015/01/20/sqli-disclosures-and-the-last-five-years-transparent-statistics/

Lets hope SQL injection attacks are on the downslope; they really should be at this point.

Jock

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s