SQL Injection is both an easy and difficult attack to create a maturity model for; on the one hand the mitigations for SQL Injection are well known, on the other hand to rank them is less straight-forward. Nevertheless, let's have a go:
- None. No protection. Some protection from input validation but no effort to specifically protect against SQL Injection.
- Basic. Strip SQL syntax characters. Depending on the string delimiter being used for SQL, either single or double-quote characters are stripped.
- Intermediate. Parameterised Queries (a.k.a. Prepared Statements). All SQL commands are made using parameterized queries. Any stored procedures are rigorously reviewed for potential SQL Injection flaws.
- Advanced. Object-Relational Mappings (ORM). All SQL commands are replaced with ORM calls. Any stored procedures are rigorously reviewed for potential SQL Injection flaws.
So SQL Injection is probably one of the easier attacks to put in a MMM since the mitigations are so well understood. The real test of how useful the idea of a MMM will be is determining if it can be applied to the majority of high-risk attacks applications must face.
No comments:
Post a Comment