Kyrilluk (5/23/2016)
Jeff Moden (5/23/2016)
I simply ask if he'll enjoy reading about himself in the morning news after the company has suffered a breach. I also explain that customers can and do sue when breaches occur and that it's really difficult to keep and get new customers after such a breach has occurred.They usually come around.
If an application has an obvious security hole (such as the sa password hard coded in the application or stored proc that can be SQL injected), is not possible to sue the software provider?
The thing is, in many cases software developers are running without a highly (or even particularly or in some cases vaguely) skilled SQL Server resource. A DBA with decent security skills isn't that easy to find, particularly when most people don't really know what they're asking for, and comes with a big ticket attached. So, if that's your bag, yeah, sue on that basis. However, this isn't particularly good for the company whose software is running part of YOUR business.
While it's not universal, you are going to get the occasional clown who is going to scream blue murder when security issues are raised rather than work towards a mature solution, in general I tend to find suppliers are pretty sympathetic or even grateful when you put such issues in front of them and very much prepared to work with you in addressing them. Provided you do it right.
This is after all improving their product, and being able to walk onto another prospect's site and go " ... and of course with security being such a critical factor in xxx industry, we've worked with our clients to ensure our product adheres to POLP ... " does them a lot of good if the competition can't. This is also good for stability in your department.
Win / win.
I'm a DBA.
I'm not paid to solve problems. I'm paid to prevent them.