Millions of websites all over the world routinely are built with one of the most basic security flaws because software designers are not taught anything about security, according to cybersecurity experts.
The flaw makes websites vulnerable to “SQL injection,” in which hackers take control of a site’s database — including user names and passwords — by writing a special code in text boxes where users enter log-in data or type search terms.
The flaw was identified as the No. 1 computer-security vulnerability in a report released this week, “The Top 25 Most Dangerous Software Errors 2011.”
The nonprofit technology firm Mitre and the Internet-security education group SANS compiled the report with input from dozens of security firms and experts in Europe and the United States.
Robert A. Martin, principal engineer at Mitre, said one of the reasons why SQL injection is the top security flaw is that “it’s so easy to exploit.” The vulnerability was rated fourth in last year’s top-25 survey.
Hackers easily can write programs that scan tens of millions of websites for SQL-injection gaps, Mr. Martin said. “It’s this ease of exploit [and] ease of discovery” that make such gaps so dangerous — and so attractive to hackers, he added.
Some website databases store highly sensitive information, such as Social Security or credit-card numbers — although this kind of data is often encrypted, making it harder for hackers to access.
Mr. Martin said that taking control of websites’ databases also allows hackers who successfully employ SQL-injection attacks to control the computers that operate the sites.
SQL injection has been a known vulnerability for more than a decade, Mr. Martin told The Washington Times.
But the flaw continues to crop up in databases because software designers are not trained to produce secure programs, said Alan Paller, director of research for SANS.
“There are a million and a half programmers in this country, most of them learned in college or at a trade school or taught themselves from books — and in the books they used — and in the grading of the samples when they turn in code [as coursework], the concept of secure coding is never brought up. The colleges just don’t teach it,” Mr. Paller said.
He said SANS had found many examples of security gaps in software coding used as examples in textbooks.
Mr. Paller added that the federal government needs to increase pressure on teaching institutions to make security a part of their curricula.
“At some point, [the National Science Foundation] and the [federal officials] who work with the colleges have to say, ‘If we’re giving you all this money, do you think you could teach people to write secure code?’” he said.