Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management


Eliminating SQL Injection the Contrast Way

SQL Injection is one of the most serious application security problems. The vulnerability exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query.  The outcome is that the attacker can change the meaning of the query and steal data or corrupt your database.

Scanning and penetration testing can be used to detect SQL injection problems, but they're terribly error prone and are likely to miss many instances.  Static analysis and code review can also be used, but they are difficult and time consuming.

Contrast searches out these vulnerabilities a different way. The Contrast Engine watches all the methods in your application that might be involved in a SQL injection flaw. Then as your application runs, Contrast identifies any time untrusted data reaches a SQL query. It's like putting a tracing beacon on the untrusted data as it flows through your application.

In Java there are only a few calls that can be used to communicate with a database:

  • Statement.execute*
  • Statement.addBatch
  • Connection.prepare*

So Contrast watches these methods for any untrusted data. If any untrusted data shows up, Contrast reports a full trace of this SQL injection vulnerability back to the Contrast TeamServer. The trace includes all the steps in the vulnerability - including the actual data, the exact lines of code for each step, and the full HTTP request for replay and testing.

This approach has several advantages.  It's doesn't require any appsec expertise to set up or use. Installation and use are both incredibly fast.  And, it's far more accurate than those other techniques. Give it a try and you'll never think of application security tools the same way again!



Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.