Yesterday I put up a post about Validating user input. Today, news that the British Navy has been hit with a SQL Injection Attack.
I have a very simple question about this.. Why is this sort of thing still happening? Not only are we talking about an attack that is very simple to defend about, but we are also talking about a Military Organisation. I’m sure that most countries have invested large amount of money into Cyber Security etc, but yet they are still failing at implementing simple security measures.
Here are a list of possible ways to have picked up this BEFORE it became an issue:
- Code Reviews. Easy, internal and should be done by a person who knows about these sort of things
- External Code Reviews. If you don’t have in-house expertise, there are plenty of companies out there who can help
- Application Security Testing. Get an external company to try and break into the system.
There are many other ways, but these in conjunction with better education would go a long way to ensuring these types of attacks are a thing of the past.