Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

IT Security Expand / Collapse
Author
Message
Posted Saturday, October 5, 2013 11:40 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 12:34 PM
Points: 31,181, Visits: 15,626
Comments posted to this topic are about the item IT Security






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1501849
Posted Saturday, October 5, 2013 4:48 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 1:53 PM
Points: 35,366, Visits: 31,905
Let's talk about the "other side" of security.

From what I've seen on these very forums, most companies shouldn't be allowed to be in business never mind write even a single line of code. How many times have we seen people with query requests where the SSN, TIN, Credit Card numbers, and other personal information are stored in clear text? Even storing the "last 4 digits" and someone's birthdate in clear text is a violation, in my eyes. You can do a whole lot of damage with just those two pieces of information if you're dedicated to the art of invasion.

As for "allow shoddy code", that's totally wrong. They INSIST on shoddy code because "it takes too long to do it right".

Enforcement is stupid, as well. I worked for one company that repeatedly failed PCI compliance but they were still allowed 2 whole years to get their act together. My feeling is that such compliance should be achieved and certified by proper authority BEFORE anything hits production. But, NO, that would slow things down too much.

Don't get me started on all of the information, like SSN's, etc, that we have to give up just to get the lights turned on in the house or to procure other simple services. It's ridiculous and so is the way a whole lot of supposed reputable companies/hospitals, etc handle the data.

I guess that qualifies as a "rant", huh?


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1501874
Posted Sunday, October 6, 2013 7:15 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 12:34 PM
Points: 31,181, Visits: 15,626
Jeff Moden (10/5/2013)


...
I guess that qualifies as a "rant", huh?


Yep, and I agree.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1501980
Posted Monday, October 7, 2013 11:15 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Yesterday @ 3:13 PM
Points: 408, Visits: 1,031
Jeff's "rant" sure hits home. I think it's only going to get better when the data owners are going to be held accountable whether it's through insurance, criminal proceedings or maybe social media/economic hurt. It feels like a house of cards.
Post #1502274
Posted Tuesday, October 8, 2013 6:32 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 1:24 AM
Points: 2,908, Visits: 1,833
Steve Jones - SSC Editor (10/6/2013)
Jeff Moden (10/5/2013)


...
I guess that qualifies as a "rant", huh?


Yep, and I agree.


Ditto from me.


LinkedIn Profile
Newbie on www.simple-talk.com
Post #1502579
Posted Tuesday, October 8, 2013 11:14 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Sunday, October 19, 2014 11:12 AM
Points: 7,791, Visits: 9,545
David.Poole (10/8/2013)
Steve Jones - SSC Editor (10/6/2013)
Jeff Moden (10/5/2013)


...
I guess that qualifies as a "rant", huh?


Yep, and I agree.


Ditto from me.

I agree too. But Jeff understated it, this stuff needs serious penalties and insurance premiums won't be painful enough to make anything happen. In Europe we have some legislation, but the sticks consist of fines which are rarely imposed and anyway are generally at a level which is peanuts compared to the daily profits of the offending companies or the daily money wasted in government bureaucracies which also spill all sorts of data plus getting your incompetence documented in the newspapers). We need hard laws aboy what data needs to be protected properly and jail time for the directors (US English: vice presidents) responsible for the mess, because just about all the data on the planet is totally unproteced and will stay that way as until it costs real pain to fix it.


Tom
Post #1502726
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse