This editorial was originally published on Mar 19, 2009. It is being re-run today as Steve is away at DevConnections.
Writing secure software is hard. The way most people learn software, from simple examples that slowly build our knowledge, doesn't encourage complicated solutions that provide robust error checking, error handling, and secure practices. Most examples that I've seen in the world include "dumbed down" code that is easy to understand and explain in a class or seminar.
And that's the code that often gets used by developers.
They go with the simple example, and enhance it, not really concerning themselves with best practices, or even great practices. In fact, if you search for sample code on the Internet, read articles on various sites about programming, or buy a book from an "expert" it seems that more often than not, the code isn't well written from a security perspective. Yet that's the code, and the mentoring, that many developers get.
And for a DBA, that code is a nightmare.
Too often the code samples and practices that are taught to people include dynamic SQL built in the application with little to no thought about SQL Injection. And it doesn't matter if the application is at fault. As the DBA it's often your phone that rings, and you that end up explaining to your boss why all the products on the site cost $1, or why every customer's name is "0wned by S&p#rG##k."
The NSA, along with a number of other companies, is trying to do something about poor programming practices. They have release a list of the 25 most dangerous programming mistakes. What's interesting is that some government agencies, and hopefully companies soon, are using this list as a litmus test for vendors. Software companies are being asked to guarantee that their software contains none of these mistakes.
I think it's a great idea, and I wonder how well it will be enforced. Microsoft and Oracle, among quite a few other software vendors, provided input into the list. You'd hope that their software would be fixed, or at least all new software would comply with the recommendations and not contain any of these mistakes.
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
Overall RSS Feed: or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.