{"id":171726,"date":"2023-09-10T09:26:46","date_gmt":"2023-09-10T14:26:46","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/09\/moveit-breach-shows-us-sql-injections-are-still-our-achilles-heel"},"modified":"2023-09-10T09:26:46","modified_gmt":"2023-09-10T14:26:46","slug":"moveit-breach-shows-us-sql-injections-are-still-our-achilles-heel","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/09\/moveit-breach-shows-us-sql-injections-are-still-our-achilles-heel","title":{"rendered":"MOVEit Breach Shows Us SQL Injections Are Still Our Achilles\u2019 Heel"},"content":{"rendered":"

<\/a><\/p>\n

In late 1998, when I was just beginning my career in technology, I read in the venerable Phrack magazine how poor input sanitization allowed rain.forest.puppy (the pseudonym used by Jeff Forristal) to pass SQL query strings directly to the back-end database of a Web application.<\/p>\n

It\u2019s an unfortunate reality that a quarter of a century later, SQL injection \u2014 among the lowest hanging of security fruit \u2014 is still included in the Open Worldwide Application Security Project (OWASP) Top 10 list of security vulnerabilities. One of the worst attacks ever occurred back in 2008, when Heartland Payment Systems was breached<\/a> and more than 130 million credit and debit card numbers were compromised. In 2023, the Cl0p ransomware group<\/a> exploited previously unknown SQL injection vulnerabilities in MOVEit, Progress Software\u2019s file transfer program, and compromised hundreds of victims as part of a supply chain attack<\/a>.<\/p>\n

We do not have insight into Progress Software\u2019s software development life cycle or security practices to ascertain what happened. While a vulnerability assessment system or even a bug hunting program could have potentially identified SQL injection flaws in the code before it was exploited, focusing on producing code that is secure by construction is an even better way to address this class of vulnerability.<\/p>\n","protected":false},"excerpt":{"rendered":"

In late 1998, when I was just beginning my career in technology, I read in the venerable Phrack magazine how poor input sanitization allowed rain.forest.puppy (the pseudonym used by Jeff Forristal) to pass SQL query strings directly to the back-end database of a Web application. It\u2019s an unfortunate reality that a quarter of a century [\u2026]<\/p>\n","protected":false},"author":662,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-171726","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/171726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/662"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=171726"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/171726\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=171726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=171726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=171726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}