One of the most effective methods of preventing SQL injection from being used is to thoroughly validate every input from the user, by identifying all possible meta-characters which could be utilized by the database system and filtering them out. Filters should be in place to remove everything but known good data. An account lockout policy should also be in place to prevent the brute force guessing of passwords. An Acunetix vulnerability scanner can help you do this.
There are a number of buzzwords being used in this area - Security Vulnerabilities and Device Hardening? 'Hardening' a device requires known security 'vulnerabilities' to be eliminated or mitigated. A vulnerability is any weakness or flaw in the software design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process. There are two main areas to address in order to eliminate security vulnerabilities - configuration settings and software flaws in program and operating system files.
Eliminating vulnerabilities will require either 'remediation' - typically a software upgrade or patch for program or OS files - or 'mitigation' - a configuration settings change. Hardening is required equally for servers, workstations and network devices such as firewalls, switches and routers. How do I identify Vulnerabilities? A Vulnerability scan or external Penetration Test will report on all vulnerabilities applicable to your systems and applications. You can buy in 3rd Party scanning/pen testing services - pen testing by its very nature is done externally via the public internet as this is where any threat would be exploited from.
When dealing with string inputs it may be necessary on some occasions to allow the use of specific meta-characters. As an example, the tick should be allowed to be used in the surname filed so names such as O'Conner are accepted. In this case it would be advisable to accept the name and replace the apostrophe with two apostrophes before running it through the query or entering it in the database. When dealing with all user inputs through text boxes, it is important to restrict the length of the input. All textbox fields should be as short as possible and must be an appropriate length for the data to be entered. By keeping each field as short as possible, the number of characters that an attacker could use to launch a SQL injection is restricted.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%. Recent trends over the past 12 months show that there is a shift from such disruptive vandalism that gains notoriety towards theft of data that translates into profit. The report on 2006 is still to be published. You need to rely on a vulnerability scanner such as Acunetix vulnerability scanner.
There are a number of buzzwords being used in this area - Security Vulnerabilities and Device Hardening? 'Hardening' a device requires known security 'vulnerabilities' to be eliminated or mitigated. A vulnerability is any weakness or flaw in the software design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process. There are two main areas to address in order to eliminate security vulnerabilities - configuration settings and software flaws in program and operating system files.
Eliminating vulnerabilities will require either 'remediation' - typically a software upgrade or patch for program or OS files - or 'mitigation' - a configuration settings change. Hardening is required equally for servers, workstations and network devices such as firewalls, switches and routers. How do I identify Vulnerabilities? A Vulnerability scan or external Penetration Test will report on all vulnerabilities applicable to your systems and applications. You can buy in 3rd Party scanning/pen testing services - pen testing by its very nature is done externally via the public internet as this is where any threat would be exploited from.
When dealing with string inputs it may be necessary on some occasions to allow the use of specific meta-characters. As an example, the tick should be allowed to be used in the surname filed so names such as O'Conner are accepted. In this case it would be advisable to accept the name and replace the apostrophe with two apostrophes before running it through the query or entering it in the database. When dealing with all user inputs through text boxes, it is important to restrict the length of the input. All textbox fields should be as short as possible and must be an appropriate length for the data to be entered. By keeping each field as short as possible, the number of characters that an attacker could use to launch a SQL injection is restricted.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%. Recent trends over the past 12 months show that there is a shift from such disruptive vandalism that gains notoriety towards theft of data that translates into profit. The report on 2006 is still to be published. You need to rely on a vulnerability scanner such as Acunetix vulnerability scanner.
About the Author:
Want to find out more about Acunetix vulnerability scanners, then visit Rhonda Benjamin's site on how to choose the best Acunetix vulnerability scanner for your needs.
