Vumetric is now part of the TELUS family! Learn more →

CISA urges software devs to weed out SQL injection vulnerabilities

CISA and the FBI urged executives of technology manufacturing companies to prompt formal reviews of their organizations’ software and implement mitigations to eliminate SQL injection security vulnerabilities before shipping.

In SQL injection attacks, threat actors “Inject” maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in the application’s security to execute unintended SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in the database.

CISA and the FBI advise the use of parameterized queries with prepared statements to prevent SQL injection vulnerabilities.

SQLi vulnerabilities took the third spot in MITRE’s top 25 most dangerous weaknesses plaguing software between 2021 and 2022, only surpassed by out-of-bounds writes and cross-site scripting.

“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” CISA and the FBI said [PDF].

“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities are still a prevalent class of vulnerability.”

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

2024 EDITION

Penetration Testing Buyer's Guide

Everything You Need to Know

Gain full confidence in your future cybersecurity assessments by learning to plan, scope and execute projects.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.