<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQLServerCentral.com
»
Editorials
»
Secure Programming
23 posts, Page 1 of 3
1
2
3
»
»»
Secure Programming
Rate Topic
Display Mode
Topic Options
Author
Message
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Wednesday, March 18, 2009 3:03 PM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 12:01 PM
Points: 31,436,
Visits: 13,750
Comments posted to this topic are about the item
Secure Programming
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #678933
RBarryYoung
RBarryYoung
Posted Wednesday, March 18, 2009 10:43 PM
SSCrazy Eights
Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855,
Visits: 9,374
What I find most interesting about the NSA'a list is that the #3 worst practice on their list is specific to SQL: SQL Injection vulnerability.
-- RBarryYoung
,
(302)375-0451
blog:
MovingSQL.com
, Twitter:
@RBarryYoung
Proactive
Performance Solutions, Inc.
"Performance is our middle name."
Post #679149
Michael Valentine Jones
Michael Valentine Jones
Posted Wednesday, March 18, 2009 11:15 PM
SSCrazy
Group: General Forum Members
Last Login: Today @ 10:43 AM
Points: 2,945,
Visits: 10,517
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.
Avoiding injection on stored procedure
http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx
Post #679162
Ian Brown-213389
Ian Brown-213389
Posted Thursday, March 19, 2009 2:56 AM
Valued Member
Group: General Forum Members
Last Login: Friday, May 17, 2013 2:44 AM
Points: 67,
Visits: 675
Michael Valentine Jones (3/18/2009)
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.
Avoiding injection on stored procedure
http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx
I've put a suggestion at http://www.sqlservercentral.com/Forums/Topic678702-8-2.aspx for that one.
There is no problem so great that it can not be solved by caffeine and chocolate.
Post #679233
Ian Brown-213389
Ian Brown-213389
Posted Thursday, March 19, 2009 2:58 AM
Valued Member
Group: General Forum Members
Last Login: Friday, May 17, 2013 2:44 AM
Points: 67,
Visits: 675
Is it me, or did they miss "Check for NULL"?
There is no problem so great that it can not be solved by caffeine and chocolate.
Post #679234
majorbloodnock
majorbloodnock
Posted Thursday, March 19, 2009 3:00 AM
Ten Centuries
Group: General Forum Members
Last Login: Today @ 9:39 AM
Points: 1,043,
Visits: 2,944
Well, I've just added that list to my browser favourites. It's an excellent resource.
I'm a DBA who, at various points, has had to branch out and learn sufficient about various development platforms to achieve certain business requirements. It's easy enough when learning something new to find out what can/can't be done, but it's actually very difficult to find out what should/shouldn't be done. If you simply use your common sense, you don't know enough about the new environment to identify the risks. If you ask for recommendations from a community (such as this), you'll get chapter and verse, and you'll have problems sifting out the important nuggets.
Therefore, I'll be using that list as a benchmark for any of my applications, and thanks for pointing it out.
Semper in excretia, sumus solum profundum variat
Post #679235
Andy Lennon
Andy Lennon
Posted Thursday, March 19, 2009 7:03 AM
Ten Centuries
Group: General Forum Members
Last Login: Tuesday, August 07, 2012 6:59 AM
Points: 1,386,
Visits: 823
In my experience it's fairly difficult to squeeze any sort of good coding practice out of most developers. They have deadlines, code quality be damned.
As Steve pointed out Security and error handling are significant culprits, but there are others that are less visible, and i think perhaps more common: poor/lack of naming conventions, spaghetti code, useless/missing comments, orphaned functions, etc.
I can't think what else might belong on that list but i'm sure there's something.
We can hope that the NSA list will be used as a benchmark for adequately secure code, but the chances of it being used widely are, i think, quite small.
Post #679358
Bob Griffin
Bob Griffin
Posted Thursday, March 19, 2009 8:35 AM
Ten Centuries
Group: General Forum Members
Last Login: 2 days ago @ 3:51 PM
Points: 1,132,
Visits: 664
Let's go back to the overused analogy of building a house. If you tell a carpenter to build a house that can't be broken into or that is impervious to fire, that carpenter is going to look at you like you are a fool. However, with the help of some specialized subcontractors, namely someone who installs security systems and fire alarms, that person can give you some insulation to the problems of breaking in and fire. They aren't full proof solutions, but they make it tougher on the burglar.
As a programmer or DBA, we can't be expected to be experts in everything. Yes we can use some security best practices, but we also need the help of specialists that focus on security issues in whatever environment we are working in. We also need more standards to help guide us. This would be similar to the Building Codes carpenters and general contractors have to use.
Post #679477
Charles Kincaid
Charles Kincaid
Posted Thursday, March 19, 2009 9:11 AM
Right there with Babe
Group: General Forum Members
Last Login: Friday, May 17, 2013 9:18 AM
Points: 772,
Visits: 1,825
You've heard the old saw "drive defensively". Well code defensively.
Assume that
all
data is CRAP
Assume that all code is broken. Especially if
you
wrote it.
I don't give a hang what DRI is in place you can still have orphans and invalid data in tables.
"That can't happen." is most often heard right after it just did.
Code, reports, etc. that work just fine in the shop can and will drop dead upon deployment.
Managed code is
managed
but not perfect.
Even Micro$oft has bugs.
One of my customers switched to a large famous ERP system. The new system had been tested for months. What brought it down on the first day live? Someone posted a memo stating that all users should log on at
precisely
10 AM Eastern.
Jammed the logon queues and, a couple of minutes later, the phone system. Perfectly working software. Killed by several thousand people all watching the clock tick down and hitting the button together.
ATB
Charles Kincaid
Post #679532
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Thursday, March 19, 2009 9:40 AM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 12:01 PM
Points: 31,436,
Visits: 13,750
Charles, that's a good list. I need to keep that one around.
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #679574
« Prev Topic
|
Next Topic »
23 posts, Page 1 of 3
1
2
3
»
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
