On Monday the CISA and the FBI published a “secure-by-design” alert urging technology manufacturers to eliminate the “unforgivable” class of vulnerabilities known as SQL injection.
It states that threat actors were able to exploit just such a vulnerability in MOVEit file transfer software last year to devastating effect – data exfiltration from thousands of MOVEit corporate clients impacting the personal details of tens of millions of customers.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.
“CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products,” the alert noted.
The alert offered the following guidelines for technology manufacturers:
- Take Ownership of Customer Security Outcomes
- Embrace Radical Transparency and Accountability
- Build Organizational Structure and Leadership to Achieve These Goals
Emily Phelps, Director, Cyware:
“This CISA and FBI initiative, particularly in eliminating SQL injection vulnerabilities, is important. It highlights the need for proactive cybersecurity measures to protect sensitive data from well-known threats. This effort is not just about improving security; it’s about building a foundation of trust between technology providers and their users, ensuring that privacy and safety are prioritized.
“Collaboration between the private and public sectors is crucial. By working together, these sectors can share knowledge, tools, and strategies, making it much harder for cyber threats to penetrate their defenses.”
It’s 2024 and SQL Injection vulnerabilities should be a thing of the past. I’m not sure why this has to be constantly deemed to be unacceptable. But hopefully everyone gets the message and does something to relegate them to the history books.
Related
This entry was posted on March 27, 2024 at 8:25 am and is filed under Commentary with tags CISA, FBI. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA & FBI Issue alert Urging Tech Manufacturers To Eliminate “Unforgivable” SQL Injection Vulnerabilities
On Monday the CISA and the FBI published a “secure-by-design” alert urging technology manufacturers to eliminate the “unforgivable” class of vulnerabilities known as SQL injection.
It states that threat actors were able to exploit just such a vulnerability in MOVEit file transfer software last year to devastating effect – data exfiltration from thousands of MOVEit corporate clients impacting the personal details of tens of millions of customers.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.
“CISA and the FBI urge senior executives at technology manufacturing companies to mount a formal review of their code to determine its susceptibility to SQLi compromises. If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products,” the alert noted.
The alert offered the following guidelines for technology manufacturers:
Emily Phelps, Director, Cyware:
“This CISA and FBI initiative, particularly in eliminating SQL injection vulnerabilities, is important. It highlights the need for proactive cybersecurity measures to protect sensitive data from well-known threats. This effort is not just about improving security; it’s about building a foundation of trust between technology providers and their users, ensuring that privacy and safety are prioritized.
“Collaboration between the private and public sectors is crucial. By working together, these sectors can share knowledge, tools, and strategies, making it much harder for cyber threats to penetrate their defenses.”
It’s 2024 and SQL Injection vulnerabilities should be a thing of the past. I’m not sure why this has to be constantly deemed to be unacceptable. But hopefully everyone gets the message and does something to relegate them to the history books.
Share this:
Like this:
Related
This entry was posted on March 27, 2024 at 8:25 am and is filed under Commentary with tags CISA, FBI. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.