Friday, April 17, 2009

OWASP's SQL Injection Prevention Cheat Sheet

Recently, SQL injection has become a popular topic in the security world. A quick look at the articles below show that many organizations are suffering from breaches due to SQL Injection. These incidents have lead to the disclosure of credit card numbers, social security numbers, or other personal/sensitive information.

Breach Information:
http://www.webappsec.org/projects/whid/byclass_class_attack_method_value_sql_injection.shtml

http://datalossdb.org/incidents/1230-sql-injection-hack-exposes-names-credit-card-numbers-cvv-codes-of-hundreds

http://datalossdb.org/incidents/1364-sql-injection-hack-exposes-names-addresses-and-ccn

Many development groups struggle to address these vulnerabilities within their software. In March, OWASP released the "SQL Injection Prevention Cheat Sheet." This short article discusses developers' options for addressing SQL Injection. If this article were to become required reading for all developers, I believe it would result in significantly fewer data breach incidents due to web application vulnerabilities.