7th July 2008 - Fortify Software, the application vulnerability security specialist, has warned companies using Microsoft\'s ASP (Active Server Page) technology - Microsoft\'s server-side script engine for dynamically-generated Web pages - to be watch out for SQL Injection attacks.

\"Although Microsoft ASP is a powerful component in the Windows 2000 Server stable of offerings, it seems that hackers have latched on to the fact that many companies have created poorly-written Web code that interfaces with their Web sites\'\' back-end database,\" said Rob Rachwald, Fortify’s director of product marketing.

\"This means that, although the Microsoft Security Response Centre (MSRC) is aware of the problem, it\'s not something it can issue patch for. As a result, large numbers of ASP-enabled Web hosts are being hit by SQL injection attacks,\" he added. According to Rachwald, Microsoft has risen to the occasion by releasing a source code analyser, but the slightly bad news is that the analyser only works with ASP Classic code and, even then, is only capable of detecting SQL Injection issues, and nothing else.

\"All is not lost, however, as Microsoft has release a short-term fix in the form of a utility that performs SQL filtering like a Web application firewall,\" he said.

\"This functions in a similar manner to our Real-Time Analysis technology, although users should be aware that it only blocks specific HTTP requests to prevent potentially harmful SQL requests from being executed on the server. Our RTA technology, on the other hand, blocks SQL Injections and much more,\" he added.

Microsoft\'s experience with this situation, says Rachwald, highlight the need for static and dynamic analysis when it comes to application security.

For more on the ASP security issue:

http://tinyurl.com/6j7fwd

For more on Fortify Software:

http://www.fortifysoftware.com

ENDS