SQL Injection: A History’ OR 1=1; —
OVERVIEW
SQL Injection is one of the most widely known software attacks out there. But how did it get to that point? How have defenses changed over the years to protect against it? And why aren’t pentesters finding it anymore?
For 8 years, SQL Injection was the top vulnerability in the OWASP Top 10. The damages it can cause are severe. But in 2021, it dropped two places in the ranking, reflecting changes in the industry that reduced both the frequency and the impact of this vulnerability.
This talk will go over the history of SQL Injection, with an emphasis on what and how defenses have changed over the years, covering the effect that training, better SQL deployment capabilities, golden path tooling, microservices, and other things all had on SQL injections. It will also cover the lessons from these applicable to defensive security at large.
Finally, the talk will dig in to the fact that penetration testers are not seeing this vulnerability as often anymore and what implications that has for CVE-based security programs.