SQL injection (SQLi) attacks have been a persistent threat in the realm of cybersecurity since the late 1990s. Despite efforts to combat this form of attack, it remains the third most common source of vulnerabilities in web applications. The reasons behind this prevalence include human error, the use of new technologies with immature code, and the widespread adoption of open-source code, which can limit developers’ control over their software.
In a recent development, both CISA and the FBI issued a joint warning in March 2024, urging manufacturers and other stakeholders to take decisive action to eliminate SQLi vulnerabilities. To address this issue, they recommended incorporating a Secure by Design framework that emphasizes building security measures as an integral part of the software development process, rather than as an afterthought.
As the threat landscape evolves, a new wave of SQLi attacks is emerging with a different focus than before. This shift is attributed to the rise of software developed on low-code and no-code (LCNC) platforms, including robotic process automation (RPA), which are projected to power 70% of applications by 2025. Unlike traditional software development, LCNC platforms are often utilized by citizen developers, who lack the technical expertise of professional coders and may inadvertently introduce vulnerabilities into their creations.
This shift has significant implications for cybersecurity, as LCNC and RPA applications present a fertile ground for SQLi attacks. These platforms, coupled with a growing ecosystem of business software tools, create an external attack surface that hackers can exploit by injecting malicious code into external data sources processed by LCNC applications. This poses a serious risk to organizations, as SQLi attacks can lead to data manipulation, theft, and even unauthorized access to critical systems.
The existing application security (AppSec) stacks are ill-equipped to address the unique challenges posed by LCNC platforms, and citizen developers often lack the necessary training to mitigate SQLi risks effectively. Consequently, the frequency and severity of SQLi attacks are expected to increase as more citizen developers turn to LCNC platforms for application development.
To address this growing concern, CISOs and security professionals must acknowledge the unique risks posed by LCNC applications and take proactive steps to bolster their security posture. This includes implementing a secure development approach that encompasses both commercial software and applications developed by citizen developers.
A comprehensive LCNC security program should focus on governance, compliance, and security to mitigate SQLi risks effectively. By maintaining an inventory of applications, ensuring compliance with data protection regulations, and enhancing access control mechanisms, organizations can create more secure LCNC development environments.
In conclusion, as the threat of SQLi attacks continues to loom large, it is imperative for CISOs to adopt a more nuanced approach to addressing this vulnerability. By prioritizing the security of LCNC applications and providing adequate guidance and resources to citizen developers, organizations can build a more resilient defense against SQLi attacks in the digital era.