Expect more SQL injection problems, despite Microsoft's help

Attackers will continue to find websites vulnerable to SQL injection vulnerabilities despite Microsoft's recent advisory identifying tools to help companies check if their websites are vulnerable and coding is secure.

A major shift in secure software development is needed to bolster code and defend against Web-based attacks, said Billy Hoffman, lead security researcher for the Web Security Research Group at HP. Hoffman called Microsoft's advisory a wake up call for people involved in the software development lifecycle, but stopped short of calling it a stop gap measure.

"No security solution will work unless you have executive buy-in," Hoffman said. "Security is something that executives, vice presidents of development and directors of engineering need to be aware of and pushing throughout the lifetime of development. Right now that's not happening."

So far as many as 600,000 websites have been successfully attacked using automated toolkits designed to allow novice hackers to easily target vulnerable sites. Microsoft identified several tools available for free, that could be used to defend against the recent massive SQL injection attacks. UrlScan, which blocks HTTP requests; Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks; and Scrawlr, a vulnerability scanner which identifies faulty code in websites.