Microsoft releases SQL injection testing tools

Hat tip to Grossman (here) for the heads up about Microsoft’s recent security advisory and release of 3 new tools to help combat SQL injection errors (here).

Unfortunately it always takes a significant incident to drive folks towards doing the right thing, this is especially true of security as part of the software development life cycle and even more so for web development, which tends to be rapid, ad-hoc and less structured than traditional software development.

This is definitely positive and will hopefully accelerate security awareness in the same way poor product quality in the mid-90’s – a la the blue screen of death – accelerated quality assurance as a fundamental aspect of software development in the late 90’s.

Although the tools have limitations and are not a substitute for more advanced technologies and experienced, thorough human analysis – which is greatly lacking in the industry – Microsoft has an opportunity to increase awareness and place these type of tools in the hands of the masses, and in doing so will hopefully highlight the ease of exploitation, the importance of security testing, and the benefits these type of tools can provide when implemented and used correctly.


2 thoughts on “Microsoft releases SQL injection testing tools

  1. “accelerated quality assurance as a fundamental aspect of software development in the late 90’s.”

    Similarly, the worm outbreaks of the early 00’s accelerated the development of reasonably secure operating systems with pretty decent default installations, and in particular, changed the attitude toward secure software development at a few large software vendors. The change in attitude toward the importance of security has, in my opinion, made a dramatic difference the the security and availability of operating systems (using Windows 2003 as the best example).

    The problem today is similar, but much harder to tackle. In the late 90’s and early 00’s, a relatively small number of developers could largely solve the problem by changing the way they build systems. Figure tens of thousands of developers or so, who worked for no more than a handful of software companies, who were reporting to what we presume to be authoritative managers, and who could be ‘forced’ to follow a methodology or standard.

    Today, with web apps the target, the community of developers who have to understand the problem and change the way they build systems is pretty much anyone who has ever slung up a simple web/database application. That population of developers is millions, not thousands, they are all over the map in terms of their skill set, and they are largely outside the bounds of large structured software companies. Educating them is a pretty tough problem.

    My experience hosting small applications developed by small companies is universally negative. They simply don’t have the a clue how to handle SQL injection, XSS, etc.

    It sounds to me like a much larger problem.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s