Infrastructure // PC & Servers
Commentary
2/27/2013
11:19 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

The Best Way to Spend Your Security Budget

It's easy to come up with scenarios in which mobile devices can compromise an organization. On the spectrum of real-world threats, these are almost all outliers. Probably the most important thing for you to do is to make sure all your SQL queries are parameterized. This will eliminate the most important mass-attack technique used against large companies.

Everyone could use more security budget. There's always more to do. So you have to prioritize your spending. Where can you spend it most effectively? Should you be spending big money on mobile security? Probably not.

The only smart way to prioritize security spending is to do it where it will be the most effective. Mobile security threats are very real and present some really scary scenarios. No way should you blow it off. But the fact is that mobile threats, like Android malware and data exfiltration on BYOD devices, aren't what is causing the big problems and embarrassing headlines for companies.

What is causing those problems? You can find those causes here, in the OWASP Top 10 Project. OWASP is the Open Web Application Security Project, one of the most worthy organizations out there working genuinely to help IT and programmers to improve security. Its web site is a treasure trove of constructive advice for making your systems more secure.

The Top 10 list (the one linked to above is a release candidate for discussion, but it looks pretty much like its recent predecessors) contains "a broad consensus about what the most critical web application security flaws are." In other words, they are the important problems that are really being exploited out in the wild. These are programming terms, not the sort you usually hear of with respect to products being sold.

Number 1 on the list is Injection, which the organization defines this way: "Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data." The most famous and most consequential of injection flaws is SQL injection.

The really big damage to companies and their reputation happens when systems are compromised on the back end, where the big data is stored. SQL injection is the most popular way to do it.

The results of a mass SQL injection campaign in 2008. (source: F-Secure - click image for larger version)

The amazing thing about SQL injection is that not only is it the most damaging of vulnerabilities, but we know a way to end it: parameterized queries. Vulnerable SQL code usually gets that way because a program takes user input (First Name, Last Name, Address, etc.), uses that to construct a SQL statement dynamically and then executes it. When the user/attacker inputs characters that terminate the query and execute another, the dynamic SQL statement ends up executing the attacker's query.

If you're involved in this sort of programming I strongly recommend studying the OWASP SQL Injection Prevention Cheat Sheet. I won't go into detail here about how parameterized queries work, just to note that it's a programming technique in which user input is bound to program variables that are then used by server facilities to construct the query and execute it. Not only are these queries impervious to SQL injection, but they can easily execute faster, if heavily utilized.

Note that you won't find mobile threats, at least not explicitly, in the OWASP top 10. That's because, for all their potential to cause damage, it's still really just potential. Attackers would have to go to a lot of trouble to execute a mass attack on mobile devices, but one SQL injection attack can bring in big bucks. It's a no-brainer that you should make this problem top priority.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.