The Best Way to Spend Your Security Budget - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
Commentary
2/27/2013
11:19 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

The Best Way to Spend Your Security Budget

It's easy to come up with scenarios in which mobile devices can compromise an organization. On the spectrum of real-world threats, these are almost all outliers. Probably the most important thing for you to do is to make sure all your SQL queries are parameterized. This will eliminate the most important mass-attack technique used against large companies.

Everyone could use more security budget. There's always more to do. So you have to prioritize your spending. Where can you spend it most effectively? Should you be spending big money on mobile security? Probably not.

The only smart way to prioritize security spending is to do it where it will be the most effective. Mobile security threats are very real and present some really scary scenarios. No way should you blow it off. But the fact is that mobile threats, like Android malware and data exfiltration on BYOD devices, aren't what is causing the big problems and embarrassing headlines for companies.

What is causing those problems? You can find those causes here, in the OWASP Top 10 Project. OWASP is the Open Web Application Security Project, one of the most worthy organizations out there working genuinely to help IT and programmers to improve security. Its web site is a treasure trove of constructive advice for making your systems more secure.

The Top 10 list (the one linked to above is a release candidate for discussion, but it looks pretty much like its recent predecessors) contains "a broad consensus about what the most critical web application security flaws are." In other words, they are the important problems that are really being exploited out in the wild. These are programming terms, not the sort you usually hear of with respect to products being sold.

Number 1 on the list is Injection, which the organization defines this way: "Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data." The most famous and most consequential of injection flaws is SQL injection.

The really big damage to companies and their reputation happens when systems are compromised on the back end, where the big data is stored. SQL injection is the most popular way to do it.

The results of a mass SQL injection campaign in 2008. (source: F-Secure - click image for larger version)

The amazing thing about SQL injection is that not only is it the most damaging of vulnerabilities, but we know a way to end it: parameterized queries. Vulnerable SQL code usually gets that way because a program takes user input (First Name, Last Name, Address, etc.), uses that to construct a SQL statement dynamically and then executes it. When the user/attacker inputs characters that terminate the query and execute another, the dynamic SQL statement ends up executing the attacker's query.

If you're involved in this sort of programming I strongly recommend studying the OWASP SQL Injection Prevention Cheat Sheet. I won't go into detail here about how parameterized queries work, just to note that it's a programming technique in which user input is bound to program variables that are then used by server facilities to construct the query and execute it. Not only are these queries impervious to SQL injection, but they can easily execute faster, if heavily utilized.

Note that you won't find mobile threats, at least not explicitly, in the OWASP top 10. That's because, for all their potential to cause damage, it's still really just potential. Attackers would have to go to a lot of trouble to execute a mass attack on mobile devices, but one SQL injection attack can bring in big bucks. It's a no-brainer that you should make this problem top priority.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll