A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?
Trap 1: Disable the legacy module until a full rewrite is completed.
May cause business disruption; immediate fix is possible.
Trap 2: Deploy a web application firewall (WAF) to block SQL injection…
WAF can be bypassed and is not a permanent fix.
Trap 3: Implement input validation to reject special characters.
Input validation is not sufficient; it can be bypassed.
- A
Disable the legacy module until a full rewrite is completed.
Why wrong: May cause business disruption; immediate fix is possible.
- B
Rewrite the legacy module to use parameterized queries.
Parameterized queries prevent SQL injection by separating code from data.
- C
Deploy a web application firewall (WAF) to block SQL injection patterns.
Why wrong: WAF can be bypassed and is not a permanent fix.
- D
Implement input validation to reject special characters.
Why wrong: Input validation is not sufficient; it can be bypassed.