It has helped me to discover some vulnerabilities in the web applications (like Cross-site scripting or SQL injection) and it helps to reduce the time it takes to perform a vulnerability assessment or a penetration test against a customer's web application.
Application Security SQL Injection Reviews
Showing reviews of the top ranking products in Application Security, containing the term SQL Injection
Acunetix Vulnerability Scanner: SQL Injection
For us, the most valuable aspect of the solution is the log-sequence feature.
The main components covering most of the SQL injection findings are quite useful.
We've never faced any maintenance issues.
PortSwigger Burp: SQL Injection
I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.
More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.
So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.
Micro Focus Fortify on Demand: SQL Injection
The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for.
The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it.
Checkmarx: SQL Injection
My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.
This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.
I would rate this product a nine out of ten.
SonarQube: SQL Injection
HCL AppScan: SQL Injection
The primary use case is to detect time-based Blind SQL Injection attacks, as well as Error-Based Injection attacks. The SQL injection attack is my favorite and I have more expertise in this vulnerability.
Contrast Security Assess: SQL Injection
If an app team is going to deploy new features to prod, they put in a ticket saying, "We are including these features in our 2.0 release." The ticket comes to our team. We deploy Contrast Security and then we do a bunch of manual pen tests. During the time that we're doing manual pen tests, Contrast will have a bunch of additional findings because Contrast is sensor-based. It's an agent-based solution which continuously looks at traffic coming in and going out of the application. When my team does manual penetration tests, Contrast looks through those flows and that makes our coverage better. It goes hand-in-hand with our pen test team. When the manual pen-test team tests the application, Contrast is looking at that traffic. Another application, like a Qualys, doesn't go hand-in-hand with a manual pen test team. Contrast really helps us because it's more like another resource looking at traffic, and at logs. It's like a watchman looking at traffic going in and going out. I literally consider it as another resource looking at traffic, day in and day out.
Contrast has also reduced the number of false positives we have to deal with, by something like 10 to 20 percent over the 18-plus months that we've had it.
The solution is accurate 90 percent of the time. Most of the time, when Contrast has identified top vulnerabilities in the OWASP Top 10, our manual pen-test team has gone in and said, "Yes, for sure." There were times when, because of resourcing issues, we did not have people pen-testing and they would just say, "Okay, we'll see what Contrast says." And sure enough, Contrast would come back with 10 to 20 critical vulnerabilities. Then we would backtrack and have manual pen do some pen tests. They would come back and say, "Yes, it has literally identified most of them;" things like a SQL Injection, which is in the OWASP Top 10. So we've seen that happen in the past, and that's why I feel the accuracy of Contrast is pretty good.
The advantage of using Contrast is that it is continuous.
I've seen some of the development teams completely take up Contrast themselves and work in Contrast. For example, a developer will be notified of an issue and will fix the code. He will then go back to Contrast and mark it as remediated. Then, he will keep watching the portal. He will be notified if the same vulnerability is found. We have seen teams that completely like the information that Contrast provides and they work independently with Contrast, instead of having a security team guiding them and holding their hands. There are times when we do hold hands for some of the teams, but it really depends on the software developers' maturity and secure coding practices.
In addition, it definitely helps save us time and money by being able to fix software bugs earlier in the software development lifecycle. It really depends on where you put Contrast. If you put Contrast in your Dev environment, sure enough, as soon as the developer deploys his code and QA is testing it in that environment, it will immediately flag and say, for instance, "You're not using TLS 1.2." The developer will go back and make those changes. It really depends on what model you have and where you want to use Contrast to your advantage. A lot of teams put it in the development environment or a preparation environment and get to fixing vulnerabilities before something is released.
I've also seen the other side of the fence where people have deployed it in production. The vulnerabilities keep coming. Newer hacks develop over time. When teams put it in prod and an exploit happens, they can use Contrast Protect and block it on the other side. You can use it as you need to use it.
The time it saves us is on the order of one US-based FTE, a security person at an average pay level. At a bare minimum, Contrast helps us like that resource. It's like having a CISSP guy, in the US, on our payroll. That's how we quantify it in our team and how we did so in our project proposal.