Read a couple of blog posts about some fairly recent SQL Injection attacks (03 /08);

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

Amazing to me how much of this is still going on and how there is still a lack of consideration for coding standards to prevent these things from happening. Nice to know that MS has just released some tools to help DB Admins and Web Admins to combat this. Seems like they too see this is a major battle ground and are taking steps to ensure that we have the tools necessary to make sure they can't happen.

http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx

It appears that MS has teamed up with HP to generate a tool called Scrawlr which "...will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks."

The tool can be downloaded at https://download.spidynamics.com/Products/scrawlr/ and you can read additional information about this tool as well as others on the blog post mentioned above.

Reading all this information reminds me that I need to stay up on security. Sounds like a silly statement even after all that has gone on with SQL Injections but it is a tendency to get sidetracked away from things like security as so many other pressing topics come up during our week.