In response to the news that a SQL injection flaw in Wall Street Journal database has led to breach, Barry Shteiman, director of security strategy at Imperva:
“According to our systems, in the past month alone (going 30 days back) 48.9% of all the web attacks that we see through our community defense, contain the SQL Injection attack vector. How can that be?
The problem starts with education and some misconceptions that different technologies might solve the same problem. In reality that is not true, or else – how is it that 12 years after we started this thing, there are still major data breaches that evolve around an SQL Injection?
In reality, the technical challenge around SQL Injection has become more complex over the years, a lot of it is due to libraries that manage SQL for the developers, some of it is because of components that are developed outside of the organization without control, but we must remember that hackers evolve as well. 15 years ago, a hacker had to manually create injection vectors – today, this is all automated and packaged into industrialized tools.
While I can’t estimate the dollar value of the stolen database, I think the cost of SQLi speaks for itself in estimating the actual cost of this incident and others that are bound to come.”