Imperva CTO Casts Doubt over IBM X-Force’s Claim that SQL Injections Are Declining
March 2010 by Imperva
IBM’s X-Force published a report where SQL Injection is in decline: http://www.networkworld.com/news/2010/031210-sql-injection-active-x-on.html
The report cites: “11 per cent drop in discovered vulnerabilities compared to 2008, including a decline in the largest categories like SQL Injections and ActiveX.”
Imperva CTO Amichai Shulman cast doubt over the findings. “The report is misleading. The report is about known vulnerabilities, IBM only counts vulnerabilities in commercial products and frameworks. While there might be a decline in the number of SQL injection vulnerabilities in products and frameworks it is not necessary indicative of the number of application specific vulnerabilities. Also, while the percentage of SQL injection vulnerabilities among total vulnerabilities may decline, their overall absolute number is still on the rise as more vulnerable applications are put online. “
Shulman pointed to the recent Cenzic report that showed SQL Injections on the rise. “The Cenzic study, correctly, tracked SQL Injections in custom applications which are not counted in the IBM X-Force report. This is a much better indicator of what we see with our own forensic investigations.”
Shulman cautioned that the IBM report could potentially send the wrong message to the industry. “SQL Injections are the first choice when it comes to data theft. Any hint that such attacks are on the decline could give the wrong impression that SQL Injection attacks are on the decline. The reality is that fact enterprises need to extremely vigilant and do everything they can do stop hacker’s favorite method of attack.”