Mitigating SQL Injection Attacks via Hybrid Threat Modelling

Web applications dependent on back-end databases are currently not immune to SQL injection attacks despite huge investment in security artefacts and defensive software mechanisms deployed by organizations. These forms of attacks involve the insertion of malformed strings or specially crafted input encoded as SQL query into web forms or http header requests to web servers. While many techniques have been rigorously applied at the implementation, testing and deployment phases of the software development life cycle, this paper proposes a Hybrid Threat Modeling Framework, MOTH, for tackling SQL injection exploits at the design phase, an earlier development phase of the SDLC.