SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Taking Shortcuts

By Steve Jones,

Many of us work in situations where we feel pressure to get work done at a pace that's faster than we might like to move. In some sense, this is the nature of life, where customers and clients always want something done immediately. Whether they're ordering food or building a house, it seems that quite often the customer expects the creator to just work harder and faster, without making mistakes, and deliver the goods quickly.

That may or may not work, but if does often result in issues in software. While we can fix them, there can sometimes be larger issues, especially where sensitive data is involved. There was an incident recently that reminded me of this, though fortunately, it appears the data loss was minimal in scope and sensitivity.

The mobile app at a recent security conference leaked data. The builders of the app embedded security keys and passwords that allowed anyone that registered to download a database of attendees. Fortunately this was a limited set and it appears only names were exposed. However, it could have been much worse, especially if this were a typical non-normalized database that might contain all data about an attendee in one row.

I don't know the timeline here for development, and I certainly don't know the requirements. I do know that embedding keys and passwords into application is a bad idea, and even worse when those applications are going to be installed on customer devices. These are fundamental rules, and I certainly hope that whoever worked on this application, and anyone reading about this story, knows not to do this again.

No matter how rushed we are, it's important that we follow some practices and include some seucrity in our systems. I'd argue that data security ought to be number one and built into the system from the start. As the GDPR asks, we should be ensuring this is included by design and default. As much as it might seem that new legislation is overreaching and burdensome, I'd argue that mistakes like this one are all too common when we feel pressure to get work done. We shouldn't be making these mistakes, nor should be be pressured to ignore security for the sake of expediency.

 
Total article views: 37 | Views in the last 30 days: 37
 
Related Articles
FORUM

Application errors might be related to SQL

Application errors might be related to SQL

ARTICLE

A Fundamental Security Mistake

Steve Jones thinks Microsoft is making a fundamental security mistake in the way they build features...

ARTICLE

Correct Old Mistakes

We all make mistakes, but it's important that we revise our code to correct them over time.

FORUM

Create security for an application.

How create security for an application ?

FORUM

Database Security with Distribuatable Application

How can we secure a Database which is distributed with an Application - (using MS Sql Server 2005 / ...

Tags
database weekly    
editorial    
 
Contribute