Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Responsibility for Security

By Steve Jones,

I was flipping through my list of feeds this week for Database Weekly and came upon a blog from MSDN that starts off with this sentence: "Most developers are reluctant to take the responsibility in security and assume that this is the job of web administrators and network engineers."

Could that really be true? Are there software developers in 2012 that think security is only a matter of proper firewall configuration and presenting a small surface area on an operating system? I really hope not, but it would explain the reason that so many systems with code written in the last few years are still vulnerable to SQL Injection.

The post goes on to talk about well known attack types, including SQL Injection and Cross Site Scripting. It provides some examples that I hope developers would understand and be able to avoid. I would urge all developers to learn about secure coding practices, and build them into your snippets and templates. Microsoft has Secure Coding Guidelines, but you should use other resources where possible, or even seek training for your developers.

The post has a couple of great lines in it, including this one: "First of all there is no fully secured system. If you want a fully secure system just turned off the serverJ". That's true, but not very practical for most of  us. However we can include additional monitoring and auditing at the database level. We should be able to detect security breeches, especially if we cannot prevent them.

This is one area that I think the database platforms need to mature. There are plenty of articles on securing SQL Server, but we haven't yet built a good, easy to understand framework that provides good monitoring and auditing in a way the majority of DBAs can understand and implement. I'm hopeful that SQL Server will continue to grow and evolve in this area, and we will develop something that helps protect our data better in the future.

Total article views: 276 | Views in the last 30 days: 7
 
Related Articles
BLOG

Security Awareness for Developers - What would you include?

If you were putting together a security awareness training program for developers, what aspects of ...

FORUM

Security Managemen Systems

problem with Security Managemen Systems

BLOG

Database Security Best Practices for the Vigilant Database Administrator and Developer (Unabridged Edit)

Below is a longer version of the equivalent Technet Article  under Security TechCenter > Learn > S...

FORUM

SQL Server 2005 Security for Developers

Security for developers withou giving sysadim access

FORUM

Securing Databases

Looking for a way to setup security for databases on a multi-tennant system

Tags
database weekly    
editorial    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones