CISA督促業者在產品出貨前檢查SQL注入漏洞
· 2024-03-26

有鑑於去年駭客利用MOVEit Transfer網頁應用程式的SQL注入漏洞發動大規模攻擊,美國政府發布Secure by Design Alert,呼籲技術製造商在產品出貨前,應審查程式碼是否含有SQL注入漏洞

/CISA

CISA與FBI表示,儘管在過去20年來人們已廣泛理解SQLi漏洞,也有了有效的緩解措施,然而,軟體製造商依然繼續開發具備此一缺陷的產品,使得許多客戶面臨風險,就算自2007年開始,像SQLi這類的漏洞已被視為不可原諒的安全漏洞,但相關漏洞依舊普遍存在。例如SQLi類型漏洞CWE-89去年仍登上前25款最危險漏洞排行榜。

SQLi注入漏洞主要是因應用程式無法妥善驗證使用者所輸入的SQL查詢,使得駭客得以於輸入欄位注入惡意的SQL程式碼來操控查詢,在攸關SQLi的安全設計守則中,建議業者在開發軟體時,應該隔離SQL程式碼及使用者所輸入的資料,確保系統不把使用者的輸入視為SQL語法,例如強制使用參數化查詢。

CISA與FBI督促軟體製造商的高階主管針對其程式碼展開正式審查,以確定其對SQLi危害的敏感度,同時鼓勵它們的客戶詢問供應商是否曾進行該審查,此外,在發現漏洞時,應可確保其軟體開發商能立即從所有現在或未來的軟體產品中,緩解此類的安全漏洞。

Popular articles
Are you ready to maximize your earnings? Try ProPush.me Constructor!
Marketing
DB Gaming Is One of Asia’s Top-Tier Game Solution Providers, Recognized as a Pioneer in the Asian Gaming Industry.
Marketing
B2B Tech Infrastructure Gains Momentum in Philippine Gaming Sector
Southeast Asia
SBC Summit Canada to Make Player Safety a Key Pillar of 2026 Agenda
Marketing
Institutional Academy that exceeded expectations marked the opening of GAT CDMX
Online Game
Vietnam's tightening online gaming policy creates new market opportunities
Southeast Asia
1spin4win grows its Latin American presence by partnering with Fortuna Juegos
Online Game
New Jersey July Gambling Revenue Hits $606M, Sweeps Casinos Banned
Regulation
Kazakhstan plans to penalise online casino promotions
Regulation
Global Game Connect (GGC) 2027 Officially Opens Sponsorship & Exhibition Opportunities in Sri Lanka!
HUIDU Focus
UK MPs reopen 2025 gambling inquiry as reform stalls
Regulation
PropellerAds Shared a New iGaming Case Study: 97,674 Installs and 12,701 Deposits in 3 Months
Marketing
Gaming & Technology Expo Makes a Powerful Entrance in CDMX
Marketing
Manila delivers: Highlights from SiGMA Asia 2026 
Southeast Asia
Zenith partners with HUIDU for 2026 World Cup Carnival Official Tour
Online Game
Home
Game
Cooperation
Find
My