SQL Injection
I saw a few announcements last week about issues with IIS, which morphed into reports about how this was a SQL Injection issue and not anything to do with IIS.
I think Aaron Bertrand has it correct, this is a SQL Injection attack, but if you were more careful about building your applications, this wouldn't happen.
I hate to keep beating the security drum, but until people build in security from the beginning, and prevent SQL Injection attacks, this type of thing will continue to happen.
Slow Growth
I saw this report on database growth for 2007 and Microsoft grew at a slower rate than Oracle or DB2, under the market average in fact. I'm sure this is disconcerting to the folks at Microsoft and I know they're rushing to get SQL Server 2008 out there to get growth growing again.
There's a few things to keep in mind here: first this is a $$ growth, and since Microsoft is the cheapest, it's easy for it to not grow as much as the other vendors. The growth rate, 18.3%, is only a tenth of a percent behind 2006, so it's not like things have slowed way down. However with all the newbie questions I've seen at SQLServerCentral.com, I think that there are plenty of people starting to use SQL Server.
The other thing that likely contributed to this, and I think this is a big one, is the horrific way in which SQL Server 2008 has been handled. A launch event announced last July, then a notification that this was not related to RTM and RTM would be later (Q2) and then later (Q3), makes people nervous. Do they upgrade to 2005? Do they hold off for 2008? Stick with 2000?
I'd lay most of the blame here on the marketing folks. Stop doing counter-intuitive stupid things like launching a product that's not done. The CTP6 wasn't even feature complete, despite the press that was put out to that effect.
As the service pack 3 debacle has shown, we want predictability and stability, not flash.
A Second Motion
There was an interesting discussion that occurred recently in Redmond where a number of people talked about having a two phase commit for some actions, such as security related matters, that would require two administrators to both agree on something.
Apparently other people are thinking about that, and here we see others thinking about the problems with single levels of authentication. A number of researchers are going in the same direction as SQL Server (or perhaps the other way around) and considering not only keys, but also policies that govern how data is accessed.
Personally I think there's still a lot of work to be done here to both better protect data from unauthorized access and also to make administration easier so that security is implemented. I think complexity often forces compromises on the type of security someone implements.
Steve Jones
This work is licensed under a
Creative Commons Attribution-Noncommercial 3.0 United States License.
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.podshow.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
Overall RSS Feed:
or now on iTunes!
Today's podcast features music by Incompetech. Kevin Macleod has some great compositions in all genres of music. Check him out at www.incompetech.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.
