Traditional Security Methods are Insufficient

Network firewalls and Intrusion Prevention Systems (IPS) attempt to identify SQL injection via traditional signature-based protections. The most common way of detecting SQL injection attacks is by looking for SQL signatures in the incoming HTTP stream. For example, looking for SQL commands such as UNION, SELECT or xp_. The problem with this approach is the high rate of false positives. Most SQL commands are legitimate words that could normally appear in the incoming HTTP stream. Ultimately, the security administrator will either disable or ignore any SQL alert reported. In order to overcome this problem to an extent, the product should learn where it should and shouldn't expect SQL signatures to appear. The ability to discern parameter values from the entire HTTP request and the ability to handle various encoding scenarios are an important requirement. Certain Web application firewall products address this need.

Some organizations consider usage of vulnerability scanning technology, either static (code review) or dynamic (application vulnerability scanning), to address SQL injection and other application vulnerabilities. It should be noted that although these types of vulnerability scanning technologies assist in discovering vulnerabilities, they still leave the organizations with the problem of mitigating them.

To address SQL injection and other advanced application threats, a different solution, a Web application firewall, is required. Unlike network firewalls and IPS solutions, a Web application firewall understands how applications work and provides specific protection for applications against attacks based on both known and unknown vulnerabilities. Even an organization that has the resources available to fix application code will benefit from deploying a Web application firewall. With a Web application firewall deployed in front of critical application and Web servers, the organization gets a larger window within which to fix its application code, rather than having to schedule rush fixes each time a new application threat or variant of a known application threat is introduced. In addition to deploying a Web application firewall, the organization can schedule code fixes and third party patching of the most critical areas of the application, much like an organization would do with any other functional flow.

One of the greatest challenges organizations face in SQL injection security solutions is properly tracking actual users. The fundamental problem is that almost all Web applications use “pool accounts” so that while users are authenticated to the Web application, they appear only as a single pooled account user to the database. Security and compliance mandates make it critical to have a solution that will uniquely identify the end-users who are performing activities via applications, even when connection pooling mechanisms are used for communication between the Web application and associated database. The lack of visibility in these situations has serious disclosure and audit accountability issues. This capability is difficult to find in most products in the market, since they either address application or database security, but not both. However, Imperva’s SecureSphere products address this important need.