The Price of Ignoring SQL Injection Vulnerabilities

Previous posts have defined SQL Injection attacks and shown how these attacks work against web applications. SQL Injections are nothing to take lightly. They are part of the number one threat defined by OWASP and rank number two on the CWE/SANS Top 25 list.

Featured Blog Posts

Vendor Lock In or Ignorant Design?

I often hear people say '”I’m not going to use Microsoft stuff because the don’t ... read more ...

OWASP Top 10 2010

The September 2009 SANS Institute Top Cyber Security Risks report revealed that over 60% of ... read more ...

Senior bureaucrats lax on BlackBerry security

Security experts suggest senior federal bureaucrats are playing with fire by sending sensitive government information ... read more ...

Unfortunately, research has shown that businesses just don’t take web application security seriously enough. For those who continue to ignore vulnerabilities that face web applications, the end result can often be costly. Just ask Montana-based broker-dealer D.A. Davidson & Co. who was ordered to pay $375,000 after the Financial Industry Regulatory Agency (FINRA) found them to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals.

False Hopes

The events that unfolded in this case model what happens when no action is taken. The attack, which occurred on December 25, 2007 was preceded by an audit 18 months earlier that suggested the firm upgrade their computer security. D.A. Davidson & Co. did make some upgrades to their security, their web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed leaving it blank.

I am sure they paid quite a bit of money for the security audit. Code reviews, audits, and penetration tests are quite pricey. As to why they would put out even a minimal amount of money and then ignore all of the suggestions is beyond comprehension, but it is something that happens every day.

Security and Common Sense

The D.A. Davidson & Co. situation, and the many others like it, amaze me. In a society where data is considered a commodity, the warehouses for this high-priced treasure are under constant attack. Yet even knowing this, as D.A. Davidson & Co. clearly did, companies still neglect to do anything to protect their customers’ personal and financial information.

Times are tight right now. Companies find themselves steering clear of projects that have little or no Return on Investment. Unfortunately, they aren’t spending enough to even protect their investments and that is costing them heavily. Sure security solutions may seem costly but to pay over $300,000 to be told you’re vulnerable a second time, well that just doesn’t seem to make much business sense.