Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the Alert highlights the prevalence of this class of vulnerability.

Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products.

For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

ALPHV/BlackCat Ransomware Servers Go Down

March 5, 2024 0 Comments 0 tags

Speculations about the shut down range from a potential exit scam to a rebranding initiative

A Close Up Look at the Consumer Data Broker Radaris

March 9, 2024 0 Comments 0 tags

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But

Industrial Cyber Espionage France’s Top Threat Ahead of 2024 Paris Olympics

February 27, 2024 0 Comments 0 tags

Ransomware and destabilization attacks rose in 2023, yet France’s National Cybersecurity Agency is most concerned about a diversification of cyber espionage campaigns