SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Responsibility for Security

By Steve Jones,

I was flipping through my list of feeds this week for Database Weekly and came upon a blog from MSDN that starts off with this sentence: "Most developers are reluctant to take the responsibility in security and assume that this is the job of web administrators and network engineers."

Could that really be true? Are there software developers in 2012 that think security is only a matter of proper firewall configuration and presenting a small surface area on an operating system? I really hope not, but it would explain the reason that so many systems with code written in the last few years are still vulnerable to SQL Injection.

The post goes on to talk about well known attack types, including SQL Injection and Cross Site Scripting. It provides some examples that I hope developers would understand and be able to avoid. I would urge all developers to learn about secure coding practices, and build them into your snippets and templates. Microsoft has Secure Coding Guidelines, but you should use other resources where possible, or even seek training for your developers.

The post has a couple of great lines in it, including this one: "First of all there is no fully secured system. If you want a fully secure system just turned off the serverJ". That's true, but not very practical for most of  us. However we can include additional monitoring and auditing at the database level. We should be able to detect security breeches, especially if we cannot prevent them.

This is one area that I think the database platforms need to mature. There are plenty of articles on securing SQL Server, but we haven't yet built a good, easy to understand framework that provides good monitoring and auditing in a way the majority of DBAs can understand and implement. I'm hopeful that SQL Server will continue to grow and evolve in this area, and we will develop something that helps protect our data better in the future.

Total article views: 337 | Views in the last 30 days: 1
Related Articles

Security Awareness for Developers - What would you include?

If you were putting together a security awareness training program for developers, what aspects of ...


Security Managemen Systems

problem with Security Managemen Systems


Database Security Best Practices for the Vigilant Database Administrator and Developer (Unabridged Edit)

Below is a longer version of the equivalent Technet Article  under Security TechCenter > Learn > S...


SQL Server 2005 Security for Developers

Security for developers withou giving sysadim access


Securing Databases

Looking for a way to setup security for databases on a multi-tennant system

database weekly