Microsoft Identifies Tools to Address SQL Injection Attacks?

According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.

Don't be fooled by what is meant by "address" in this context.  Let's be clear on what these tools do and what they don't do.

They DO:

-- Scan web sites and identify potential SQL injection vulnerabilities.  Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript. 

Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.

They DON'T:

-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities. 

If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide.  As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist. 

I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today.  I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.