Home Forums SQLServerCentral.com Editorials Cyberwar RE: Cyberwar

  • November 11, 2013 at 9:02 am

    #1665511

    Interesting article - not bad overall, though it again conflated stored procedures with parameterization, and completely missed not giving the service account admin permissions.

    Password security wasn't mentioned (and given the Adobe breach, it's clearly still a critical area) - suffice it to say, use PBKDF2/PKCS#5/RFC2898 with tens of thousands of iterations total, or bcrypt or scrypt with the equivalent.

    I have to agree with the posters above - the #1 problem I really see is that it is very difficult to get anywhere close to less-insecure code if you're learning and using any kind of normal sources (classes, books, Internet searches, forums), because even the top quartile of normal sources stop cold at "it compiles and it runs (de minimus)". Try a search on how to use AES encryption in .NET - even setting aside the articles that simply break functionally, you'll almost always see hardcoded salt/nonce and IV (Initialization Vector) values, which are a major security problem, and often you'll see ECB mode (another major security problem - see Adobe).

    It's difficult enough to learn to write maintainable or robust or efficient code, given the examples prevalent in almost all sources - adding secure on top of that is a almost impossible unless you look very specifically for secure code... and you can judge the bad articles.

    Testing security is also much more difficult that any other coding tests. Testing correctness - well, if you knew what it's supposed to do, you've got your first set of test cases. Testing efficiency - code it three to five different ways, and measure that. Testing maintainability - try to pretend you haven't seen anything about it for 5 years, or show it to any other developer/DBA. Testing security - first you have to know all the attack types, then you have to recognize them, then you have to be able to duplicate them as a test condition...

    I do like SQLServerCentral, though - the articles vary, the ratings vary, but the discussions on the articles are very often extremely useful and high quality, pointing out mistakes, oversights, improvements, and alternatives.