Skip to main content
close search
site logo
Dive Brief

Software makers urged to flush SQL injection vulnerabilities

CISA and FBI officials linked attacks against MOVEit file transfer software to preventable defects.

Published March 26, 2024
David Jones's headshot
Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
  • CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
  • The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.

Dive Insight:

The software industry has known about the risk of SQL injection flaws for decades, according to CISA and the FBI, yet manufacturers have failed to take sufficient steps to remove these defects from software. 

SQL, which stands for structure query language, is a programming language used to manage data in relational databases. 

Developers can eliminate the risk of exploitation by making changes during the software design and development phases, according to the agencies. By adopting the use of “prepared statements” with parameterized queries, developers can separate SQL code from user supplied data, which prevents this type of vulnerability, according to the alert

“Migrating to prepared statements generally seems like a reasonable ask, although 'reasonable' for security leaders may not equate to reasonable for all software producers,” Spencer McIntyre, security research manager and head of Metasploit development at Rapid7, said via email. “I would imagine that libraries are readily accessible to support the pattern CISA suggests.”

CISA officials, as part of the Biden administration’s national cybersecurity strategy, have pushed for software and hardware manufacturers to make their products secure by design and secure by default. That would mean customers do not have to search for hidden defects or change configurations after a product has been shipped and installed into a computer network.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell