SQL injection attacks are in decline – or are they?

According to IBM X-Force's report, SQL injection gained a lot of popularity as a flavour of the month and was then exploited to the point that there were few who didn't know what it was.

And, says the company, now that awareness has saturated the industry, more websites are defending against the problem.

Interestingly, however, the IBM report found a significant increase in attacks using code obfuscation, often launched using automated exploit toolkits, to hide from IT security software.

You'd expect the 11% fall in SQL injection and allied attack vectors to be welcomed by the industry, but data security specialist Imperva has cast doubt on the findings.

Amichai Shulman, the company's chief technology officer said that the report is misleading as it covers known vulnerabilities. "IBM only counts vulnerabilities in commercial products and frameworks. While there might be a decline in the number of SQL injection vulnerabilities in products and frameworks it is not necessarily indicative of the number of application specific vulnerabilities", he said.

"Also, whilst the percentage of SQL injection vulnerabilities among total vulnerabilities may decline, their overall absolute number is still on the rise as more vulnerable applications are put online", he added.

Shulman noted a recent Cenzic report that showed SQL injections as being on the on the rise, which he says is correct, as the Cenzic study tracked SQL injections in custom applications that are not counted in the IBM X-Force report.

This, he said, is a much better indicator and confirms what Imperva has been seeing with its own forensic investigations.

Shulman adds that the IBM report could potentially send the wrong message to the industry, as SQL injections are the first choice amongst cybercriminals when it comes to data theft.

"Any hint that such attacks are on the decline could give the wrong impression that SQL injection attacks are on the decline. The reality is that, in fact, enterprises need to be extremely vigilant and do everything they can do to stop hackers' favorite method of attack", he said.

What’s hot on Infosecurity Magazine?