If you're doing ASP.NET development then you need to check these tools out. As per this security bulletin there has been a recent rise in SQL injection attacks, exploiting vulnerabilities in sites that do not follow best practice.

So here's what you need to do:

  1. Understand recent trends in SQL injection
  2. Check out the guidance from the SDL blog on SQL-injection defense techniques and also on
  3. MSDN
  4. Use two new tools from Microsoft to a) analyse your code and b) filter suspicious requests
    1. Microsoft Source Code Analyzer for SQL Injection (MSCASI).
    2. URLScan 3.0
  5. Also check out Scrawlr from the HP Security Laboratory (I like the cartoon on that page!) in conjunction with Microsoft

 

There's a forum for MSCASI at http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1 

In short, if you're doing ASP.NET development, check your code and make sure you:

  • Use SQL Parameterized Queries
  • Use Stored Procedures
  • Use SQL Execute-only Permission
  • Cross posted from ronan's blog