Vendors encouraged to eliminate SQL injection weaknesses from software packages
In a recent alert, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have called on software manufacturers to systematically eliminate SQL injection vulnerabilities. These vulnerabilities, which can lead to significant security risks, are primarily caused by the unsafe inclusion of user-provided input directly in SQL query strings.
To address this issue, manufacturers are recommended to enforce the consistent use of parameterized queries (prepared statements) in product designs. This approach, as stated in the alert, prevents the occurrence of SQL injection flaws by separating SQL code from user-supplied data.
In addition to parameterized queries, manufacturers should also:
- Design products to prevent the introduction of injection vulnerabilities by clearly delimiting command inputs from commands themselves.
- Perform formal security reviews and mitigations before software shipment.
- Patch known exploited vulnerabilities promptly and provide free, timely patches to customers.
- Evaluate and secure open source software dependencies through security scans and routine monitoring for vulnerabilities such as Common Vulnerabilities and Exposures (CVEs).
- Use memory-safe programming languages or protective hardware to avoid memory safety vulnerabilities that might facilitate exploits.
These recommendations form part of CISA and FBI's broader secure-by-design guidance, emphasizing prevention at development time, vulnerability management, and ongoing security hygiene in the software supply chain.
The software industry has been aware of the risk of SQL injection flaws for decades, yet manufacturers have failed to take sufficient steps to remove these defects from software, according to CISA and the FBI. The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software in 2023.
Spencer McIntyre, security research manager and head of Metasploit development at Rapid7, believes that migrating to prepared statements is a reasonable ask, although it may not be easy for all software producers. He also suggests that libraries are likely available to support the pattern CISA suggests.
SQL, a programming language used to manage data in relational databases, is the focus of the CISA and FBI's alert. Developers can reduce the risk of SQL injection vulnerabilities by implementing changes during the software design and development phases.
In a secure by design and secure by default approach, customers would not have to search for hidden defects or change configurations after a product has been shipped and installed into a computer network. If SQL injection vulnerabilities are found in software, the agencies are asking companies to take immediate steps to eliminate these defects from existing and future software.
CISA and the FBI are also advocating for software and hardware manufacturers to make their products secure by design and secure by default, as part of the Biden administration's national cybersecurity strategy. This approach would ensure that security is built into products from the outset, reducing the risk of vulnerabilities and improving overall cybersecurity.
[1] CISA and FBI Alert (AA23-089A) - Eliminating SQL Injection Vulnerabilities: Best Practices to Reduce Risk [4] Rapid7's Metasploit Development Team Head Discusses SQL Injection Vulnerabilities and Best Practices for Elimination
- To further enhance cybersecurity and minimize data-and-cloud-computing risks, software manufacturers are advised to implement best practices that go beyond the elimination of SQL injection vulnerabilities. This includes designing products to secure open source software dependencies, perform formal security reviews and mitigations before software shipment, patch known exploited vulnerabilities promptly, and use memory-safe programming languages or protective hardware.
- The CISA and FBI's alert on SQL injection vulnerabilities underlines the importance of a secure-by-design approach, which emphasizes prevention at development time, vulnerability management, and ongoing security hygiene in the software supply chain. This strategy is a key component of the Biden administration's national cybersecurity strategy, where manufacturers are encouraged to make their products secure by design and secure by default.
