Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Software Vendor Security


Software Vendor Security

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36077 Visits: 18738
Comments posted to this topic are about the item Software Vendor Security

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLNightOwl
SQLNightOwl
SSC Veteran
SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)

Group: General Forum Members
Points: 241 Visits: 500
Two thumbs up. We have an application (FootPrints) that we wont consolidate onto our primary SQL cluster because they insist on using the SA account for their database interaction. I'd thow using the SA account as another very dumb practice.

--Paul Hunter
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)

Group: General Forum Members
Points: 21075 Visits: 18259
Paul Hunter (7/24/2010)
Two thumbs up. We have an application (FootPrints) that we wont consolidate onto our primary SQL cluster because they insist on using the SA account for their database interaction. I'd thow using the SA account as another very dumb practice.


Is this the same FootPrints that is used for tracking trouble tickets?

The version we have doesn't use the sa password but the user account in use has elevated privileges. We can't change the password for that account on account of it breaking the application. We are in process of migrating away from that application on account of the horrendous security model it uses (as the primary reason).



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36077 Visits: 18738
Mandating a specific account is a sign of a) poor securty and b) crappy development practice.

We used to use Patrol from BMC at a company, and while it required admin/sysadmin privileges on previous Windows versions, it was actually our own developers that "reused" the service account we had set up for Patrol in other places to avoid worrying about security. It took me over a year to get that password changed after I started.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLNightOwl
SQLNightOwl
SSC Veteran
SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)

Group: General Forum Members
Points: 241 Visits: 500
Is this the same FootPrints that is used for tracking trouble tickets?


Yep, that's the one. It's an OK app from the users perspective (I guess) but deserves all the scorn you can heap on it for that practice (as does any other app doing this).

Hint to application developers -- if you're doing your development using the "sa" account or any account that requires SysAdmin permission then you're doing something wrong.

--Paul Hunter
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)

Group: General Forum Members
Points: 21075 Visits: 18259
Paul Hunter (7/25/2010)
[quote]
Hint to application developers -- if you're doing your development using the "sa" account or any account that requires SysAdmin permission then you're doing something wrong.


And they deserve scorn as well.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

katy.park
katy.park
SSC Veteran
SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)

Group: General Forum Members
Points: 241 Visits: 59
I would add as a bad practice vendors that mandate using the server name as a password (?).
mar10br0
mar10br0
SSC-Enthusiastic
SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)SSC-Enthusiastic (156 reputation)

Group: General Forum Members
Points: 156 Visits: 351
Don't get me started on this one (if not stopped, I will rant on until deep in the night..... :p)

[rant]
As a (senior) developer myself I've always, always stuck to the rule that any kind of hardcoded configuration in application source-code is reason for immediate termination of contract. Even for one-off applications that will run as an only instance on the only known machine in the company itself for that one-off occasion to do a one-off process.
It's shocking how often I've received a piece of code from one of my developers that wouldn't even run for testing on my PC because the developer hardcoded the database-connection to his own PC-name (and of course user PCs are configured not to accept any SQL-connections from the network, basta!)...

Alas, security in general seems to be a topic everyone will try to avoid until burnt hard personally. How can I tell my son (18) that if he does not install firewalling and anti-virus, he is essentially a willing part of criminal organisations who use such "open" targets for their criminal intent (gone are the days where hacking was a sport with harmless effects like leaving "killroy was here!" messages on your screen.

But the general public and even a large portion of software developers just don't seem to grasp that leaving your PC open for attack is the same as leaving your car-keys in your car in front of a bank with a sign saying "free get-away car for grabs!".
[/rant]

Spread the word on the importance of building security into software from the inside-out, bolting it on top as an afterthought is just not good enough anymore and should not be accepted from any of your vendors.
jay-h
jay-h
SSC Eights!
SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)SSC Eights! (919 reputation)

Group: General Forum Members
Points: 919 Visits: 2222
On another website I've seen the suggestion that this is a problem especially for closed source products-- the priority is to get working product out the door often with generations of internal patches and bandaids. Since no one (except possibly hackers) sees these kludges, and the product works properly, the vulnerabilities can go on for decades.

Of course open source products have plenty of problems too, but they are exposed to a lot more eyes, and potentially, re-writes.

...

-- FORTRAN manual for Xerox Computers --
david_wendelken
david_wendelken
SSC Veteran
SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)SSC Veteran (206 reputation)

Group: General Forum Members
Points: 206 Visits: 480
One way to get some action (in US companies) is to tell your CIO that the software does comply with the required Sarbanes-Oxley (or other regulatory) guidelines.

That will get the software removed from the system asap.

Tell the vendor the reason why it was removed, and that you have written a letter detailing its security inadequacies to the appropriate regulatory agency for their review.

It will only take one stink-bomb in the press - plus the resultant contract cancellations and huge sales drop - for many software vendors to get the message.

Of course, you better be right and be able to prove you are right, 'cause the software company might come after you.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search