https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17755#M778 <P>&gt; iluom (Newcomer II) posted a new topic in Tech Talk on 01-09-2019 06:37 AM in<BR /><BR />&gt; &nbsp; I know<BR />&gt; that&nbsp;there is no guarantee for 100% security in the world, if someone says it's<BR />&gt; a myth, however my question is why it's standing at the top of the list? &nbsp; I'm<BR />&gt; curious to see a best solution and root cause of it.<BR /><BR />Unfortunately, the root cause is stupidity (on the part of developers), and, equally unfortunately, there is no solution to stupidity.&nbsp; Constant vigilance is the price of having all kinds of creative people building interesting (and all-too-often-useless) stuff without having to go through formal processes of education and certification.</P> Wed, 09 Jan 2019 19:12:14 GMT rslade 2019-01-09T19:12:14Z https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17740#M773 <P>Good day All,</P><P>&nbsp;</P><P>Injection flaws are trending in OWASP top 10 security risks for the last 15 years. It's No.1 risk.</P><P>Interestingly moving from&nbsp; A6 to A2 to A1 (Please see the pic)</P><P>&nbsp;</P><P>There are many sophisticated injection vulnerability scanning tools, code analysis tools , pen test tools available, there is a lot of awareness about this risk.</P><P>&nbsp;</P><P>Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws</P><P>&nbsp;</P><P>despite of it... it's raising... can't we defend against it to bring it down&nbsp;99% ?&nbsp; I know that&nbsp;there is no guarantee for 100% security in the world, if someone says it's a myth, however my question is why it's standing at the top of the list?</P><P>&nbsp;</P><P>I'm curious to see a best solution and root cause of it.</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OWASP10.jpg" style="width: 999px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/2883iA7906ECD58335BCF/image-size/large?v=v2&amp;px=999" role="button" title="OWASP10.jpg" alt="OWASP10.jpg" /></span></P> Wed, 09 Jan 2019 11:37:16 GMT https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17740#M773 iluom 2019-01-09T11:37:16Z https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17751#M776 <P>Great questions.&nbsp; &nbsp;</P><P>&nbsp;</P><P>I'm going to limit my response to SQL injection vulnerabilities.&nbsp; &nbsp;</P><P>&nbsp;</P><P>No matter how often I urge people to avoid dynamic SQL, they continue to use it.&nbsp; &nbsp;Obviously, dynamic SQL can be made safe through through data escaping and other related hygiene.&nbsp; &nbsp;</P><P>&nbsp;</P><P>I've been working with SQL since the very earliest days of DB2, and back then we&nbsp;were forced to deploy&nbsp; parameterized procs&nbsp;that were written by our DBA team because DB2 was so inefficient back then.&nbsp; &nbsp; Ironically, that may still be the best approach - not for performance, but to help safeguard against SQL injection attacks.</P><P>&nbsp;</P><P>Generally speaking, I don't think we pay enough attention to demonstrating what the bad guys can do with injection attacks.&nbsp; &nbsp;We can use the famous Hack Me Bank....&nbsp; &nbsp;But I've found big improvement when developers actually see what an injection attack can do.</P><P>&nbsp;</P><P>Obviously, building dynamic and static scanning into the SDLC so that developers can test their own work products while they're in the development phase is quite effective.&nbsp; &nbsp; &nbsp;And at first, it's probably going to be necessary to ensure such scanning is taking place.&nbsp; &nbsp; &nbsp;</P><P>&nbsp;</P><P>Of course, a comprehensive pen testing program is also required, but it really shines when the other steps are taken earlier in the SDLC.</P> Wed, 09 Jan 2019 18:41:04 GMT https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17751#M776 DHerrmann 2019-01-09T18:41:04Z https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17755#M778 <P>&gt; iluom (Newcomer II) posted a new topic in Tech Talk on 01-09-2019 06:37 AM in<BR /><BR />&gt; &nbsp; I know<BR />&gt; that&nbsp;there is no guarantee for 100% security in the world, if someone says it's<BR />&gt; a myth, however my question is why it's standing at the top of the list? &nbsp; I'm<BR />&gt; curious to see a best solution and root cause of it.<BR /><BR />Unfortunately, the root cause is stupidity (on the part of developers), and, equally unfortunately, there is no solution to stupidity.&nbsp; Constant vigilance is the price of having all kinds of creative people building interesting (and all-too-often-useless) stuff without having to go through formal processes of education and certification.</P> Wed, 09 Jan 2019 19:12:14 GMT https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17755#M778 rslade 2019-01-09T19:12:14Z https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17772#M779 <P>SQL Injection Illustration</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SQLInjection.jpg" style="width: 602px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/2884i31F60B42FAA97FB5/image-size/large?v=v2&amp;px=999" role="button" title="SQLInjection.jpg" alt="SQLInjection.jpg" /></span></P><P>Image Courtesy : xkcd.com</P> Thu, 10 Jan 2019 05:20:59 GMT https://community.isc2.org/t5/Tech-Talk/Injection-Flaws-Long-Trending-Security-Risk/m-p/17772#M779 iluom 2019-01-10T05:20:59Z