Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

More Data Security Issues Expand / Collapse
Author
Message
Posted Tuesday, June 25, 2013 8:19 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Tuesday, July 15, 2014 7:25 PM
Points: 97, Visits: 339
This is a problem in many businesses and I believe stems from the near universal idea that a business should maximise shareholder value ahead of value generated for other stakeholders (customers, employees, the community). This is justified by the mistaken idea that shareholders are the only stakeholders who are exposed to any risk in the enterprise.

Too many people have experienced (either directly, or having seen it happen to people they know) a company saying 'we value loyalty' at the interview and then forcing redundancy on employees at the first sign of difficulty.
Post #1467418
Posted Wednesday, June 26, 2013 10:11 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, June 13, 2014 12:40 PM
Points: 461, Visits: 753
Eric M Russell (6/25/2013)
djackson 22568 (6/25/2013)
I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

Developers may be a members of DBO or even SYSADMIN when they login to development database using their domain account. They need that for creating tables, procedures, etc. However, when unit testing or performing QA, they should login using a seperate account that has the same name and least privillages as the application account (should have) in production. If testing is not done under a least privillage account like this, then many organization will punt and grant full DBO or SYSADMIN rights to the application account.

Yep.

My organization is engaged in upgrading to Windows 7 due to XP support ending next year. (Note the guy in charge was not even aware of this until I brought it up!) The majority of our applications were built and sold to us requiring the end user be a local admin on the PC. They will not support us if there are issues unless the user is an admin, and in most cases, the app will not function without those rights.

We can blame the vendors, and they do have some responsibility for the poor design, but we also need to look at Microsoft recomendations over time. Back in the 3.1 days, INI files stored user preferences. Microsoft changed to recommend using the registry. As security became more of a front line issue, they changed recommendations again.

Basically there are a number of reasons why things are so bad.


Dave
Post #1467760
Posted Wednesday, June 26, 2013 10:44 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:31 PM
Points: 33,051, Visits: 15,159
mtucker-732014 (6/25/2013)
This is a problem in many businesses and I believe stems from the near universal idea that a business should maximise shareholder value ahead of value generated for other stakeholders (customers, employees, the community). This is justified by the mistaken idea that shareholders are the only stakeholders who are exposed to any risk in the enterprise.

Too many people have experienced (either directly, or having seen it happen to people they know) a company saying 'we value loyalty' at the interview and then forcing redundancy on employees at the first sign of difficulty.


Much of this is definitional. Improving stakeholder value can often improve shareholder value, or it cannot. Using one statement without the other, and without context is where we get into issues.

Also, do we want to improve value today (this quarter, this year), or the long term? Some of what David noted above is that people look to short term value more than long term value. Long term you develop more robustly and realize that security decisions can affect you later. Short term, do what MS says and eff it if it's wrong.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1467776
Posted Wednesday, June 26, 2013 12:25 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 12:14 PM
Points: 1,595, Visits: 4,584
I don't think that Microsoft can be faulted for insecure data. The database, network, and operating system framework that Microsoft has provided us is solid when it comes to security. For example, I've heard from security experts that SQL Server is much easier to lock down and has had fewer security holes when compared to Oracle and other products.

Data security is also not about decisions made by the board of directors at the organzation.

Really, if you look at news stories about data breaches, the plot is the same:
1. Some guy who couldn't be trusted had unrestricted access to the database
2. SQL injection
3. Some developer copied down the database to their laptop and then lost it.

These things can be prevented using role based security, properly coded SQL in the application, and enforcing restriction policies on the windows workstations. Microsoft has given is the tools we need.

I hate to say it, but it's mostly about ignorance on the part of IT staff, primarily the developers and DBA.
Post #1467810
Posted Wednesday, June 26, 2013 1:17 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, June 13, 2014 12:40 PM
Points: 461, Visits: 753
Eric M Russell (6/26/2013)
I don't think that Microsoft can be faulted for insecure data. The database, network, and operating system framework that Microsoft has provided us is solid when it comes to security. For example, I've heard from security experts that SQL Server is much easier to lock down and has had fewer security holes when compared to Oracle and other products.

Data security is also not about decisions made by the board of directors at the organzation.

Really, if you look at news stories about data breaches, the plot is the same:
1. Some guy who couldn't be trusted had unrestricted access to the database
2. SQL injection
3. Some developer copied down the database to their laptop and then lost it.

These things can be prevented using role based security, properly coded SQL in the application, and enforcing restriction policies on the windows workstations. Microsoft has given is the tools we need.

I hate to say it, but it's mostly about ignorance on the part of IT staff, primarily the developers and DBA.


Not what I said. What I said was Microsoft changed the game. Developers are partly at fault, but Microsoft changes their design requirements as often as some people change shoes! I do feel for the developers who have to completely redesign something because some idiot in Marketing at Microsoft thinks they can make more money by doing something different. I also feel for them when changes are made to make products more secure. I hate to say it, but the fact remains that Microsoft originally left out any thoughts about making things secure, and only recently made progress on that front, so yes, they are partly to blame. I am by no means a hater of Microsoft, but I am not going to sugar coat things either.

There are many reasons behind these issues, not just lazy developers.


Dave
Post #1467834
Posted Thursday, June 27, 2013 6:24 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 12:25 PM
Points: 5,162, Visits: 2,766
djackson 22568 (6/26/2013)
Eric M Russell (6/26/2013)
I don't think that Microsoft can be faulted for insecure data. The database, network, and operating system framework that Microsoft has provided us is solid when it comes to security. For example, I've heard from security experts that SQL Server is much easier to lock down and has had fewer security holes when compared to Oracle and other products.

Data security is also not about decisions made by the board of directors at the organzation.

Really, if you look at news stories about data breaches, the plot is the same:
1. Some guy who couldn't be trusted had unrestricted access to the database
2. SQL injection
3. Some developer copied down the database to their laptop and then lost it.

These things can be prevented using role based security, properly coded SQL in the application, and enforcing restriction policies on the windows workstations. Microsoft has given is the tools we need.

I hate to say it, but it's mostly about ignorance on the part of IT staff, primarily the developers and DBA.


Not what I said. What I said was Microsoft changed the game. Developers are partly at fault, but Microsoft changes their design requirements as often as some people change shoes! I do feel for the developers who have to completely redesign something because some idiot in Marketing at Microsoft thinks they can make more money by doing something different. I also feel for them when changes are made to make products more secure. I hate to say it, but the fact remains that Microsoft originally left out any thoughts about making things secure, and only recently made progress on that front, so yes, they are partly to blame. I am by no means a hater of Microsoft, but I am not going to sugar coat things either.

There are many reasons behind these issues, not just lazy developers.


I guess we all have to accept that the industry, in general, was somewhat lax regarding security (myself included). I feel that once the Internet became prevalent in use and that more and more valuable data was collected that suddenly it was easy to get something worthwhile.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1468102
Posted Thursday, June 27, 2013 6:54 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 12:14 PM
Points: 1,595, Visits: 4,584
djackson 22568 (6/26/2013)
Eric M Russell (6/26/2013)
I don't think that Microsoft can be faulted for insecure data. The database, network, and operating system framework that Microsoft has provided us is solid when it comes to security. For example, I've heard from security experts that SQL Server is much easier to lock down and has had fewer security holes when compared to Oracle and other products.

Data security is also not about decisions made by the board of directors at the organzation.

Really, if you look at news stories about data breaches, the plot is the same:
1. Some guy who couldn't be trusted had unrestricted access to the database
2. SQL injection
3. Some developer copied down the database to their laptop and then lost it.

These things can be prevented using role based security, properly coded SQL in the application, and enforcing restriction policies on the windows workstations. Microsoft has given is the tools we need.

I hate to say it, but it's mostly about ignorance on the part of IT staff, primarily the developers and DBA.


Not what I said. What I said was Microsoft changed the game. Developers are partly at fault, but Microsoft changes their design requirements as often as some people change shoes! I do feel for the developers who have to completely redesign something because some idiot in Marketing at Microsoft thinks they can make more money by doing something different. I also feel for them when changes are made to make products more secure. I hate to say it, but the fact remains that Microsoft originally left out any thoughts about making things secure, and only recently made progress on that front, so yes, they are partly to blame. I am by no means a hater of Microsoft, but I am not going to sugar coat things either.

There are many reasons behind these issues, not just lazy developers.

SQL injection, user accounts with SYSADMIN access to production, lost laptops containing social security numbers:

I don't think that the marketing department of Microsoft, an organization's board of directors, or even the organization's executive management are responsible for that. There is also little they can do to mitigate that, becuase the proper solutions have been around for decades. It all boils down to developers and DBAs making bad choices, not following widely accepted best practices.
Post #1468121
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse