SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Secure Programming


Secure Programming

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)

Group: Administrators
Points: 148032 Visits: 19444
Comments posted to this topic are about the item Secure Programming

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
RBarryYoung
RBarryYoung
SSC-Dedicated
SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)

Group: General Forum Members
Points: 35482 Visits: 9518
What I find most interesting about the NSA'a list is that the #3 worst practice on their list is specific to SQL: SQL Injection vulnerability.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Michael Valentine Jones
Michael Valentine Jones
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14689 Visits: 11848
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.

Avoiding injection on stored procedure
http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx
Ian Brown-213389
Ian Brown-213389
SSC-Enthusiastic
SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)

Group: General Forum Members
Points: 175 Visits: 715
Michael Valentine Jones (3/18/2009)
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.

Avoiding injection on stored procedure
http://www.sqlservercentral.com/Forums/Topic678702-8-1.aspx



I've put a suggestion at http://www.sqlservercentral.com/Forums/Topic678702-8-2.aspx for that one.

There is no problem so great that it can not be solved by caffeine and chocolate.
Ian Brown-213389
Ian Brown-213389
SSC-Enthusiastic
SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)

Group: General Forum Members
Points: 175 Visits: 715
Is it me, or did they miss "Check for NULL"?

There is no problem so great that it can not be solved by caffeine and chocolate.
majorbloodnock
majorbloodnock
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2505 Visits: 3064
Well, I've just added that list to my browser favourites. It's an excellent resource.

I'm a DBA who, at various points, has had to branch out and learn sufficient about various development platforms to achieve certain business requirements. It's easy enough when learning something new to find out what can/can't be done, but it's actually very difficult to find out what should/shouldn't be done. If you simply use your common sense, you don't know enough about the new environment to identify the risks. If you ask for recommendations from a community (such as this), you'll get chapter and verse, and you'll have problems sifting out the important nuggets.

Therefore, I'll be using that list as a benchmark for any of my applications, and thanks for pointing it out.

Semper in excretia, sumus solum profundum variat
Andy Lennon
Andy Lennon
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1592 Visits: 826
In my experience it's fairly difficult to squeeze any sort of good coding practice out of most developers. They have deadlines, code quality be damned.
As Steve pointed out Security and error handling are significant culprits, but there are others that are less visible, and i think perhaps more common: poor/lack of naming conventions, spaghetti code, useless/missing comments, orphaned functions, etc.
I can't think what else might belong on that list but i'm sure there's something.

We can hope that the NSA list will be used as a benchmark for adequately secure code, but the chances of it being used widely are, i think, quite small.
Bob Griffin
Bob Griffin
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2021 Visits: 702
Let's go back to the overused analogy of building a house. If you tell a carpenter to build a house that can't be broken into or that is impervious to fire, that carpenter is going to look at you like you are a fool. However, with the help of some specialized subcontractors, namely someone who installs security systems and fire alarms, that person can give you some insulation to the problems of breaking in and fire. They aren't full proof solutions, but they make it tougher on the burglar.

As a programmer or DBA, we can't be expected to be experts in everything. Yes we can use some security best practices, but we also need the help of specialists that focus on security issues in whatever environment we are working in. We also need more standards to help guide us. This would be similar to the Building Codes carpenters and general contractors have to use.
Charles Kincaid
Charles Kincaid
Hall of Fame
Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)

Group: General Forum Members
Points: 3305 Visits: 2384
You've heard the old saw "drive defensively". Well code defensively.


  • Assume that all data is CRAP

  • Assume that all code is broken. Especially if you wrote it.

  • I don't give a hang what DRI is in place you can still have orphans and invalid data in tables.

  • "That can't happen." is most often heard right after it just did.

  • Code, reports, etc. that work just fine in the shop can and will drop dead upon deployment.

  • Managed code is managed but not perfect.

  • Even Micro$oft has bugs.



One of my customers switched to a large famous ERP system. The new system had been tested for months. What brought it down on the first day live? Someone posted a memo stating that all users should log on at precisely 10 AM Eastern. w00t Jammed the logon queues and, a couple of minutes later, the phone system. Perfectly working software. Killed by several thousand people all watching the clock tick down and hitting the button together.

ATBCharles Kincaid
Steve Jones
Steve Jones
SSC Guru
SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)SSC Guru (148K reputation)

Group: Administrators
Points: 148032 Visits: 19444
Charles, that's a good list. I need to keep that one around.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search