Subj : The FBI and CISA want to lead a major crackdown on SQL vulnerabil
To   : All
From : TechnologyDaily
Date : Tue Mar 26 2024 15:30:05

The FBI and CISA want to lead a major crackdown on SQL vulnerabilities

Date:
Tue, 26 Mar 2024 15:20:33 +0000

Description:
Software developers urged to change their approach to coding and make their 
products secure by design.

FULL STORY
======================================================================

Despite being well-documented for some time now, and considered an 
unforgivable mishap, SQL Injection (SQLi) vulnerabilities remain a persistent 
class of defect in commercial software products, a new report from the 
Cybersecurity and Infrastructure Security Agency (CISA), and the Federal 
Bureau of Investigation (FBI) has declared. 

In the paper, the two US government agencies are urging commercial software 
builders to mount a formal review of their code to establish whether or not 
it is susceptible to SQLi. 

Users are advised to push their vendors to run such reviews. Bypassing 2FA 

If they discover their code has vulnerabilities, senior executives should 
ensure their organizations software developers immediately begin implementing 
mitigations to eliminate this entire class of defect from all current and 
future software products, the two firms said. 

SQL injection is a type of attack in which a hacker can inject malicious 
queries into an SQL command, resulting in the execution of arbitrary queries. 
As a result, threat actors could access sensitive data, and even take over 
vulnerable systems. 

This type of vulnerability stems from the co-mingling of database queries and 
user-supplied data, the two organizations explained. To mitigate the threat, 
organizations should use parameterized queries with prepared statements, as 
this approach separates SQL code from user data. 

SQLi vulnerabilities were the third most dangerous software vulnerability 
between 2021 and 2022 according to MITRE, BleepingComputer reported in its 
writeup. 

"Incorporating this mitigation at the outsetbeginning in the design phase and 
continuing through development, release, and updatesreduces the burden of 
cybersecurity on customers and risk to the public." 

CISA and the FBI said they released Secure by Design Alert in response to a 
recent well-publicized malicious threat actor campaign that exploited SQLi 
defects in a managed file transfer application to target and compromise users 
of that applicationimpacting thousands of organizations, referring to last 
years Cl0p campaign that started with a vulnerability in MOVEit. More from 
TechRadar Pro Comcast Xfinity accounts are being attacked in 2FA bypass 
attacks Here's a list of the best firewalls around today These are the best 
endpoint security tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/the-fbi-and-cisa-want-to-lead-a-major-c
rackdown-on-sql-vulnerabilities


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.