Who should we blame for this bad software delivery?
The Developer?
Sure any developer with basic skills should know how to operate SQL queries. At the minimum they should have viewed this advisory:
OWASP Cheat Sheet
Was the developer copying code from someone else? Maybe they need to use better tools or add the word "securely" into their queries !!
The Code Reviewer?
Every piece of code needs to be reviewed before it makes it into the release. Was the reviewer not watching out for simple problems? If the code was not reviewed, that is another problem.
The Secure Dev Ops Team?
They are responsible for scanning all code before it is put into production. Were they not using free tools that any code repository has to scan for SQL injection vulnerabilities? Did they ignore the warnings or did they just turn them off as it was too annoying?
The Engineering Manager?
Is the person aware of what their teams are doing and the process they are following?
The Quality Awareness Team?
Was there no tests created for validating if there are SQL injection possibilities? Someone should look at the security SQ tests that were being executed.
CISO
Now a good CISO would say that the buck stops at them. I agree. They are responsible for the security of the data that the company is managing as well as the software that they are delivering.
Solution
It is time to put some logical consequences for bad software in place. If you are failing to develop, test software for basic vulnerabilities that are known for over a decade, you need to be re-educated so that you can do a better job.
I know that some of you might believe that an AI can do a better job, but I will disagree. AI that thinks like humans and works on the same resources that humans learn from, will end us creating the same problems
