DZone
Database Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Database Zone > SQL Injection? ''Come on.''

SQL Injection? ''Come on.''

Political software is amazingly important, but isn't living up to the software quality expected by all other software. OWASP and security standards must be enforced.

Jeff Williams user avatar by
Jeff Williams
·
Aug. 25, 16 · Database Zone · Opinion
Like (6)
Save
Tweet
4.79K Views

Join the DZone community and get the full member experience.

Join For Free

Some software is more important than other software. The software in medical devices that keeps people alive? That’s important. The software that controls the economy? Important. The software that controls airplanes. Again… important. And the software that undergirds our democracy … the software that ensures our elections are fair? That’s pretty important stuff.

We need to hold the purveyors of this important software to a higher standard. We must have assurances that these critical applications are resilient against those who would undermine our democracy. This assurance isn’t necessarily easy to generate. Building rugged software that has strong defenses against both expected and unexpected attacks takes a level of rigor not found in most software organizations.

But we are not even close. Maybe not even really trying. When a voter records system is susceptible to SQL injection, we should all be concerned. SQL injection has been well known and well understood for over 20 years. It has headlined the OWASP Top Ten for 14 years. Protecting against SQL injection isn’t even tremendously difficult.

Could these attackers have modified voter records? Maybe even affect whether voters who thought they were registered could actually vote when they show up on Election Day? Or maybe the bad guys sell these records to one of the candidates, so they can target those critical “undecided” voters better. 

I’ve reviewed the code of an electronic voting/election management system for one of the major vendors. I can only say that I expected better. What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.

Let’s raise the bar for software that’s part of “critical infrastructure.” We shouldn’t have to blindly trust that software has basic security protections. Many years ago I proposed a “software facts” label that would let software buyers and users know about the security in an application. I find this highly preferable to a liability regime, and something that wouldn’t put and undue burden on software producers. Let’s go Congress, FEC, FTC, NIST, DHS, NSA, and POTUS.

You know that quote from Marc Andreessen, “software is eating the world”?  Well, it just might.

sql Injection Software

Published at DZone with permission of Jeff Williams, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Replace your Scripts with Gradle Tasks
  • Why "Polyglot Programming" or "Do It Yourself Programming Languages" or "Language Oriented Programming" sucks?
  • DevOps Security Checklist for Kubernetes
  • Event Loop in JavaScript

Comments

Database Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo