/ Database Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SQL Injection? ''Come on.''

DZone's Guide to

SQL Injection? ''Come on.''

Political software is amazingly important, but isn't living up to the software quality expected by all other software. OWASP and security standards must be enforced.

by
Jeff Williams
·
Aug. 25, 16 · Database Zone
Free Resource

Comment (3)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Learn how to create flexible schemas in a relational database using SQL for JSON.

Some software is more important than other software. The software in medical devices that keeps people alive? That’s important. The software that controls the economy? Important. The software that controls airplanes. Again… important. And the software that undergirds our democracy … the software that ensures our elections are fair? That’s pretty important stuff.

We need to hold the purveyors of this important software to a higher standard. We must have assurances that these critical applications are resilient against those who would undermine our democracy. This assurance isn’t necessarily easy to generate. Building rugged software that has strong defenses against both expected and unexpected attacks takes a level of rigor not found in most software organizations.

But we are not even close. Maybe not even really trying. When a voter records system is susceptible to SQL injection, we should all be concerned. SQL injection has been well known and well understood for over 20 years. It has headlined the OWASP Top Ten for 14 years. Protecting against SQL injection isn’t even tremendously difficult.

Could these attackers have modified voter records? Maybe even affect whether voters who thought they were registered could actually vote when they show up on Election Day? Or maybe the bad guys sell these records to one of the candidates, so they can target those critical “undecided” voters better. 

I’ve reviewed the code of an electronic voting/election management system for one of the major vendors. I can only say that I expected better. What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.

Let’s raise the bar for software that’s part of “critical infrastructure.” We shouldn’t have to blindly trust that software has basic security protections. Many years ago I proposed a “software facts” label that would let software buyers and users know about the security in an application. I find this highly preferable to a liability regime, and something that wouldn’t put and undue burden on software producers. Let’s go Congress, FEC, FTC, NIST, DHS, NSA, and POTUS.

You know that quote from Marc Andreessen, “software is eating the world”?  Well, it just might.

Create flexible schemas using dynamic columns for semi-structured data. Learn how.

Like This Article? Read More From DZone

Demystifying Secure Database Development Myths
Getting Started With Blind SQL Injection
SAP SQL Injections

Free DZone Refcard

Getting Started With Redis
DOWNLOAD
Topics:
database ,security ,sql injection

Comment (3)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Jeff Williams, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Database Partner Resources

White paper: Flexible data modeling using dynamic columns, includes sample data and queries.
Explore the top 10 use cases for NoSQL – Real-world examples from leading companies
NoSQL Performance with Full Read/Write Access to SQL
Switch from relational to NoSQL for faster, more flexible web, mobile, and IoT apps
MySQL vs. MariaDB: Guide to Open Source Database Selection
Five NoSQL Myths Dispelled by c-treeACE
Learn to achieve data integrity and flexibility by combining structured and semi-structured data with MariaDB and JSON.
Don’t let the database be a bottleneck: Solving Database Deployment Problems with Database DevOps
Shift LEFT: Explore how – and why – application and database development can make the most of DevOps
Couchbase outperformed MongoDB by 7x on reads, 5x on writes, and 3x on queries
Learn how to achieve Continuous Delivery for Databases in this 110 page E-book

Database Partner Resources

White paper: Flexible data modeling using dynamic columns, includes sample data and queries.
Explore the top 10 use cases for NoSQL – Real-world examples from leading companies
NoSQL Performance with Full Read/Write Access to SQL
Switch from relational to NoSQL for faster, more flexible web, mobile, and IoT apps
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone