Tuesday, April 29, 2008

Blog: Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their Products; Rather Due To Application Programming Errors

Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their Products; Rather Due To Application Programming Errors

SANS NewsBites Vol. 10 Num. 34 (fwd); 4/29/2008 10:46 AM

Microsoft Says SQL-Injection Attacks Not Due to Flaws in Their Products; Rather Due To Application Programming Errors (April 27 & 28, 2008) Microsoft maintains that the SQL-injection attacks spreading to hundreds of thousands of web pages are not due to new or unknown vulnerabilities in its Internet Information Server (IIS) or SQL Server. The Microsoft Security Response Center's Bill Sisk said the attacks are the result of SQL injection exploits and proffered a set of industry best practices for organizations to follow to protect themselves from such attacks.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080678&source=rss_topic17

http://www.news.com/8301-10784_3-9929861-7.html?part=rss&subj=news&tag=2547-1_3-0-20

http://www.heise-online.co.uk/security/Microsoft-offers-assistance-to-combat-mass-SQL-injection--/news/110616

http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

[Editor's Note (Paller): The Microsoft guidance for programmers on how to avoid programming errors that enable SQL Injection attacks (posted at http://msdn2.microsoft.com/en-us/library/ms998271.aspx) is excellent.

These guidelines reflect the skills that are now being tested for Java and soon for .NET programmers. If you have more than 300 programmers, you can have up to 10 of them use the free online skills assessment to find their skills gaps. Email spa@sans.org ]

No comments:

Blog Archive