Shostack + Friends Blog Archive


David Litchfield Asked Me

At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates:

Its not clear if all of these are SQL injection. Some I’m interpreting the lack of understanding or words like “sophisticated hacker.” That’s poor analysis technique, but the best I can do right now. We need to do better to help answer questions of where security resources are best allocated.

3 comments on "David Litchfield Asked Me"

  • Allan Friedman says:

    In a few weeks, there will be a fairly comprehensive list available of breaches of commercial entities. Stay tuned…

  • Iang says:

    Is the conclusion here to be drawn that there are far fewer SQL injection attacks than we thought, and therefore the threat is overplayed?

  • Adam says:

    I’d bet on observational bias before I’d bet that there are that few SQL injection attacks going on.

Comments are closed.