Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Secure Programming

By Steve Jones,

This editorial was originally published on Mar 19, 2009. It is being re-run today as Steve is away at DevConnections.

Writing secure software is hard. The way most people learn software, from simple examples that slowly build our knowledge, doesn't encourage complicated solutions that provide robust error checking, error handling, and secure practices. Most examples that I've seen in the world include "dumbed down" code that is easy to understand and explain in a class or seminar.

And that's the code that often gets used by developers.

They go with the simple example, and enhance it, not really concerning themselves with best practices, or even great practices. In fact, if you search for sample code on the Internet, read articles on various sites about programming, or buy a book from an "expert" it seems that more often than not, the code isn't well written from a security perspective. Yet that's the code, and the mentoring, that many developers get.

And for a DBA, that code is a nightmare.

Too often the code samples and practices that are taught to people include dynamic SQL built in the application with little to no thought about SQL Injection. And it doesn't matter if the application is at fault. As the DBA it's often your phone that rings, and you that end up explaining to your boss why all the products on the site cost $1, or why every customer's name is "0wned by S&p#rG##k."

The NSA, along with a number of other companies, is trying to do something about poor programming practices. They have release a list of the 25 most dangerous programming mistakes. What's interesting is that some government agencies, and hopefully companies soon, are using this list as a litmus test for vendors. Software companies are being asked to guarantee that their software contains none of these mistakes.

I think it's a great idea, and I wonder how well it will be enforced. Microsoft and Oracle, among quite a few other software vendors, provided input into the list. You'd hope that their software would be fixed, or at least all new software would comply with the recommendations and not contain any of these mistakes.

Steve Jones


The Voice of the DBA Podcasts

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.

You can also follow Steve Jones on Twitter:

Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.

Total article views: 460 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Good Practices for Software Development

We always want to follow the best, or at least good, practices for software development. However do ...

BLOG

Podcasting

A new video setup is on the way!!!! Actually I'll do a couple podcasts on podcasting over the hol...

ARTICLE

Podcast Announcements

Podcast Feeds

ARTICLE

Grown Up Software

We all want to write better software, but do we really want to write grown up software? Steve Jones ...

BLOG

SQL Server Podcasts

Photo credit: Digitalnative About a year ago, I came across an online deal for a car stereo system ...

Tags
editorial    
secure programming    
security    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones