If you’re a business owner with an online presence and you’re not taking SQL injections seriously then you could be in serious trouble.
Known for exploiting vulnerabilities in database driven web applications, attacks via an SQL injection can cause you to lose customers’ personal details and, subsequently, thousands in revenue.
Barclays reported in 2012 that 97% of data breaches around the world were being carried out by SQL injections. Discussing the issue during the Infosecurity Europe Press Conference, Barclays’ head of payment security, Neira Jones, states that SQL injections affected more than 1.8 million and cost businesses more than £2.7 billion ($3.8 billion) in the UK alone.
In 2015, that 97% figure had dropped to 27%, according to Softpedia. However, the same article also highlighted that 32% of all web applications are vulnerable to SQL injections and the average cost of a minor attack was $196,000.
If you’ve never considered the impact of SQL injections on your business in the past, then you should now be taking it more seriously.
How Do SQL Injections Work and What Do They Do?
Before we outline the best way to protect your business from SQL injections, here’s a brief overview of how they work and the damage they can do.
- A business is using a database driven website where users have to create an account to access the products on offer.
- Inside the coding of the website there is a flaw which the hacker exploits using an SQL injection.
- Typically, a user will enter their login details in an SQL query. The database will then verify this query and return a true value if the details match those stored on the database.
- A hacker using an SQL injection can essentially disrupt this process and enter any details they wish. This can trick the database into verifying the SQL query as true. This gives the hacker access to the database and, potentially, any personal data stored in it.
SQL Prevention: How to Protect Your Business
Although SQL injections are fairly simple to stop, many businesses are still ignoring the basics. One of the first steps you should take as a business owner is to ensure the code on your website is sanitized to prevent illegal inputs.
The first line of defence against SQL injections should be prepared statements with parameterized queries. By initially writing database queries in this way, developers are forced to define all SQL code. Applying a rigorous framework to the coding process makes flaws less likely and, therefore, a more secure system from the start.
However, according to security experts Incapsula, this isn’t a “fool proof” solution. This is simply because there is no way to recognize all of the SQLi attack vectors, as well as future changes to the code environment.
This is why it’s important to validate data on the server side of the equation as well as the client side. One of the best ways to do this is to protect against web application attacks, such as SQL injections, by using a web application firewall (WAF).
Filtering traffic through a WAF allows you to avoid issues such as SQL injections as it actively monitors incoming traffic for illegal requests. Using this system to inspect traffic from web applications has been shown to reduce data breaches by a significant margin.
Despite being around for more than a decade, SQL injections are still a major threat to business owners around the world and if you aren’t actively addressing the issue, then you could be costing yourself money. As stated, that average cost of an SQL injection is $196,000. However, for a small fee (it can cost just a few hundred dollars a month for a WAF) you could virtually eliminate the problem.
To be in business online you need to ensure every leak is plugged and, when it comes to SQL injections, it’s worth remembering that you need just three letters (WAF) to prevent any problems.