Sloppy site developers are to blame for a recent rash of SQL web server attacks estimated to have compromised hundreds of thousands of websites, a security firm claimed today.
Jacob West, manager of Fortify's Security Research Group, said: "SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities.
"But these attacks demonstrate that some organisations building web applications are still woefully behind the bad guys."
West believes that the solution to this and similar problems is a software development lifecycle designed to build in security from the ground up.
"Security is a critical attribute during the design, building, testing and deployment phases," he said.
"Software developed without a full-lifecycle approach, and the right tools to support each phase, is destined to suffer security compromises."
The tool behind the attack harnesses Google to search for sites that include a file type and parameter that appear to be susceptible to SQL injection.
The script then uses this list of targets to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the site.
"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem," said West.
"The software engineering and security fields need to provide developers with APIs that make it easier to get security right, and better tools and processes to ensure that the software they build with these APIs is secure."
