“After years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to today’s software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that’s more important today than ever before.”
However there is an interesting and logical rebuttal to this article.
“I can say that they are basically meaningless at this point. Even without their methodology, I am sure someone can trivially reproduce their results and figure out if they abstracted per CVE, or per actual SQLi mentioned. As a recent example, CVE-2014-7137 is a single entry that actually covers 54 distinct SQL injection vulnerabilities. If you count just the CVE candidate versus the vulnerabilities that may be listed within them, your numbers will vary greatly.”
Original article here from Help Net Security: http://www.net-security.org/secworld.php?id=17843
Rebuttal article here from Jericho of Attrition.org: http://blog.osvdb.org/2015/01/20/sqli-disclosures-and-the-last-five-years-transparent-statistics/
Lets hope SQL injection attacks are on the downslope; they really should be at this point.