What mitigation strategy can an application use to defend against SQL injection attacks?

The most effective mitigation strategy an application can use to defend against SQL injection attacks is to “Validate user-supplied input data.”

Validating input data involves checking, sanitizing, and/or escaping user inputs to ensure that they do not contain SQL code that could be executed by the database. This is a crucial part of a defense-in-depth approach to security and can significantly reduce the risk of SQL injection attacks. Proper input validation ensures that only appropriately formatted data is accepted, thereby preventing malicious SQL code from being injected into the database through user inputs.

The other options are not as directly effective or relevant in defending against SQL injection:

• Implement security controls that block SQL traffic: Blocking SQL traffic is not feasible as legitimate application functionality often requires SQL traffic to interact with a database.
• Run web applications only on Windows SQL servers: The choice of server does not inherently mitigate SQL injection attacks. SQL injection vulnerabilities are more about how the application handles input and communicates with the database, rather than the specific database server being used.
• Restrict SQL deployments to MongoDB Non-relational database management systems (DBMS): Switching to a non-relational DBMS like MongoDB may avoid traditional SQL injection, but it does not eliminate the risk of injection attacks entirely. Non-relational databases can still be vulnerable to other forms of injection if input is not properly handled.