The Info Security website recently released a republication of Breach Security’s report, The Web Hacking Incidents Database (WHID) 2008 Annual Report, raising questions about secure application development for internet-facing applications.
The WHID report highlights the trends in automated SQL injection attacks as the highlight of 2008.
“SQL Injection attacks that planted malware on target web sites were the #1 attack/outcome vectors for criminals in 2008.”
The Breach Security report mirrors similar reports from the IBM Internet Security Systems X-Force® 2008 Trend & Risk Report published earlier this year:
“…we have seen mass SQL injection attacks, a portion of which is attributed to the Asprox botnet. This combination of a botnet plus a SQL injection attack capability enabled another method of mass delivery of malware in which a large number of affected sites effectively becomes a delivery point. Additionally, these automated attacks also highlighted the high number of Web sites vulnerable to SQL injection and that secure development practices will go a long way in effectively mitigating these attacks.”
Sites like the Microsoft Developer Network include articles on how to fix security holes in application platforms like .NET to protect applications from SQL injection attacks, but the problems continue to be prevalent across a wide variety of applications.
The Breach Security report also indicates a shift away from ideological and defacement attacks and an increase more commercially oriented attacks, leading to a shift in target web sites. Breach Security reports a large increase in security attacks focused on financial institutions. Government and law enforcement sites continue to be subject to the largest numbers of reported attacks.