juniorDBA13 - Wednesday, January 3, 2018 6:04 AM
A little tough love coming up here... If you don't take the time to check every instance of dynamic SQL for inject-ability, then plan on spending some time explaining how your company suffered a successful attack. You CAN'T afford to not take the time. Tell the company to stop making excuses and do it NOW!
Then implement a rigorous process that prevents unreviewed code from being deployed even to your staging environments. Again, no excuses... just do it!
I'll also tell you that you need to do the same thing for your front end code. At the very least, hire a 3rd party to do penetration testing of your public facing applications and by "public facing", I mean any app outside of IT (we even test the non-public facing stuff).
This is something you don't want to screw with or let get balled up in stupid politics by managers that don't know any better. If they think it's expensive to do all of this, wait until they find out the true cost of a successful attack on your systems.
--Jeff Moden
Change is inevitable... Change for the better is not.