SQL injections, more than any other exploit, can land your company in trouble. So why aren't you worried about them? Few things make a CIO's eyes glaze over like the mere mention of SQL injections. Unless they cut their teeth in security or SQL programming, chances are that the folks who control the purse strings don't understand these increasingly common attacks. That's a real issue because you're probably making decisions that could exacerbate the problem.
So just how big is the problem? The number of SQL injection attempts has gone from a few thousand a day just last year to more than half a million a day now, according to IBM's ISS X-Force. The bad guys are using automated tools to find out where SQL injection is possible, evaluating the sites for the best exploitation possibilities. These bad guys are really bad. They aren't looking to be disruptive; they're looking to steal credit card numbers and identities for profit. These are the exploits that tripped up the likes of Heartland Payment Systems and retailer TJX. And even if you aren't processing lots of credit cards, there's reason to guard against SQL injection, as the exploit also can be used as a first step to modifying your Web site to spread malware.

The link for this article located at Information Week is no longer available.