The AntiSQLi library fills in some key security gaps and provides a jump-start for developers to use interfaces that provide security measures by default.
Wilmington, MA (PRWEB) June 27, 2013
Security Innovation, an authority in application security, announced today that it has teamed up with the IronBox team to release a free library for reducing risk from SQL injection (SQLi) attacks. Developers can now leverage the AntiSQLi library to auto-parameterize untrusted data, eliminating the need to write the same defensive coding pattern multiple times.
SQL injection is an attack technique typically used to exploit vulnerabilities in data driven applications. The vulnerability usually occurs when user input is incorrectly filtered resulting in the execution of unauthorized commands. SQL injection is considered by security experts to be the number one attack today and has been the root cause of many high-profile intrusions and data breaches.
“The concept for this library began in 2010 when we wanted an easy to use, repeatable way to keep our customers’ data safe from SQL injection attacks. Because it was written specifically for our secure file transfer solution it wasn’t very usable outside our own development team,” said Kevin Lam, founder of IronBox and co-creator of the AntiSQLi library. “In collaboration with Security Innovation, who is a customer of ours, we thought about what form it should take so that it could be used by developers more broadly. As a result, we improved the design, usability and protection mechanisms; and in the process, dramatically simplified the library,” he added.
Numerous code snippets and filters to help reduce risk from SQL injection attacks already exist, but most of them use a black-list approach which is prone to error. The AntiSQLi library employs industry best practices and is extremely easy to integrate. And because the library is open-source, developers can better understand and trust the library, and if needed, extend its capabilities.
“Developers are humans and humans do what they are familiar with and/or what's easiest. Unfortunately when it comes to programming applications that access SQL databases neither of those acts typically result in secure code.” said Joe Basirico, VP of Security Services at Security Innovation and co-creator of the AntiSQLi library. “This library doesn't invent any new technologies, it just makes it easier to employ correct mitigation techniques using patterns developers are already familiar with, which is the key to adoption.”
Code scanning and reviews will help catch SQLi issues, however this library helps ensures that parameterization gets baked into the code so developers can significantly reduce the risk of SQL injection vulnerabilities.
“The problem with parameterization is that you're asking developers to do something they aren't necessarily familiar with,” said Jason Taylor, CTO of Security Innovation. “The AntiSQLi library fills in some key security gaps and provides a jump-start for developers to use interfaces that provide security measures by default.”
About AntiSQLi Library
The AntiSQLi library allows developers to write parameterized queries in a single line using the String.format paradigma common form in programming. Because it results in less code than standard ways of performing parameterized queries, it enables developers to code more secure queries significantly easier. This decreased effort to write secure code is a benefit to time-pressured software developers.
Integrating the AntiSQLi library is easy and only takes a couple lines of code. The AntiSQLi library is also highly extensible, with pre-written .NET classes for Microsoft SQL Server and Microsoft SQL Server Compact Edition. Developers can easily extend the library to support other database platforms like Oracle and MySQL.
To download or learn more about AntiSQLi library, please visit: http://ironbox.github.io/AntiSQLi/
To read about AntiSQLi on Dark Reading, please visit:
About Security Innovation
Security Innovation is an authority in application security and offers solutions based on the three pillars of the Software Development Lifecycle (SDLC): standards, education and assessment. On a mission to help eliminate the root cause of most data breaches – insecure software applications – Security Innovation helps organizations build internal expertise, uncover critical vulnerabilities and integrate security into software applications. The company’s flagship training products include TeamMentor™ secure development standards and TeamProfessor™, the industry’s largest library of application security awareness and technical eLearning courses.
IronBox develops industry-leading software that helps organizations protect and exchange sensitive data and reduce their risk of data breach. The IronBox secure file transfer solution is easy to use, requires no extra software or hardware and can be setup in minutes. Used and trusted by organizations worldwide of all sizes since 2010, the IronBox solution has also been referred as a “powerful and reliable way to exchange sensitive data” by a Fortune 50 company.