Share via


New ASP.NET SQL Injection Defense Tools

If you're doing ASP.NET development then you need to check these tools out. As per this security bulletin there has been a recent rise in SQL injection attacks, exploiting vulnerabilities in sites that do not follow best practice.

So here's what you need to do:

  1. Understand recent trends in SQL injection
  2. Check out the guidance from the SDL blog on SQL-injection defense techniques and also on MSDN
  3. Use two new tools from Microsoft to a) analyse your code and b) filter suspicious requests
    1. Microsoft Source Code Analyzer for SQL Injection (MSCASI).
    2. URLScan 3.0
  4. Also check out Scrawlr from the HP Security Laboratory (I like the cartoon on that page!) in conjunction with Microsoft

 

There's a forum for MSCASI at https://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=92&SiteID=1 

In short, if you're doing ASP.NET development, check your code and make sure you:

Use SQL Parameterized Queries

Use Stored Procedures

Use SQL Execute-only Permission