Following the news that an SQL injection has been discovered on one of the corporate systems of the Panamanian lawyers who leaked the Panama papers, Paul Farrington, senior solution architect at Veracode commented below:
Paul Farrington, senior solution architect at Veracode
“The panama papers hack at Mossack Fonseca proves that security breaches can trigger huge political and financial ramifications for companies, individuals and even Prime Ministers around the world.
All major law firms hold large amounts of sensitive information and know the risks posed by hackers, so it’s unacceptable that despite the initial breach, the company has not fully secured its systems and remains at risk from such a well-known and avoidable attack vector.
After numerous high profile breaches due to SQL injections in recent years and this vulnerability regularly featuring on the OWASP Top 10 list for more than a decade (the widely accepted standard for application security), it is concerning the number of companies whose apathetic approach to application security leads them to be breached using this exploit.
The prevalence of the SQL injection vulnerability remains disturbingly high, with many businesses leaving themselves exposed to data loss and brand damage. In fact, Veracode analysis of data from its cloud-based application security service of over 50,000 enterprise applications, found that just over 1 in 5 had at least one SQL injection vulnerability. For cyber criminals, that’s like a car thief practically guaranteed entry into any car provided he tries all five car doors.
In 99% of cases, removal of the identified flaw is straightforward. But while the cure can be pain free, the disease can be devastating if ignored. All organisations need to be working to gain full visibility into its web application perimeter and run frequent scans on all existing applications to ensure that it remains protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities.
[su_box title=”About Veracode” style=”noise” box_color=”#336588″][short_info id=”60239″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.