As part of its 'Secure by Design' campaign, the FBI and CISA, the US cybersecurity agency, have published guidelines for developers to address SQL injection vulnerabilities.
This program, which was started by CISA and the FBI, is to inform and warn software developers about the potential of SQL injection attacks and provide mitigation techniques.
The "Secure by Design Alert" was released in response to Moveit Transfer flaws that affected thousands of users. The severity and frequent occurrence of these security problems have been highlighted in a guide called "Eliminating SQL Injection Vulnerabilities in Software".
For more than 20 years, SQL injection vulnerabilities have been thoroughly documented, and there are tested ways to avoid them. Software developers have continued to release products with these vulnerabilities in spite of this, endangering a large number of users. SQL injections were categorized as significant vulnerabilities by the MITRE Corporation as early as 2007, but they are still a frequent security problem.
The CISA and FBI handbook describes SQL vulnerabilities in detail and suggests countermeasures, like using "prepared statements," which MySQL released in 2004. These statements provide a more secure method than input sanitization, which is frequently less efficient and more difficult to deploy widely. They assist in separating SQL code from user data.
The guidelines further recommend that the leadership of software companies take ownership of customer security, possibly through formal code reviews, transparent reporting of known security vulnerabilities, CVE creation, and security-focused organizational reorganizations.
The 'Secure by Design' campaign promotes the integration of security measures at every stage of the software development lifecycle, with backing from CISA and global partners. In addition to addressing SQL injection, it provides a guide on phishing prevention and emphasizes the risks associated with using default passwords, all with the goal of promoting a more secure online environment.