When I started writing code, the applications I wrote for various companies would only receive manual code reviews from my peers, and then limited testing from a group of people that were usually bored and unchallenged in their jobs. More often than not, I'd be asked by people what to test, how the various parts of the application worked, and receive a basic double check on the tests I'd run, not any extensive analysis. I think a lot of people had, or even still have, a similar experience, which is one reason we have such poor security in many applications.
These days I know there are much better tools for testing applications, and I have heard of black box scanning of static source code. I haven't heard of too much real time scanning of the executable code by the authors of code, but I'm sure there are tools out there to help you find vulnerabilities. I saw recently there are even better tools for scanning code that combine both techniques into something being called glass-box scanning.
Security is a problem in many applications, and it's great to see more tools being put into place to help uncover issues before our customers do. I don't know to what extent we are vulnerable in these ways at the database level, but I suspect that we do need better tools to help us comb through access logs, as well as double check permissioning for users and objects. When we do have security problems, they are usually large security problems because of the large amount of data that can be exposed inappropriately, yet we don't have very mature tools and processes for monitoring and detecting problems.
Steve Jones
The Voice of the DBA Podcasts
We publish three versions of the podcast each day for you to enjoy.
- Watch the Windows Media Podcast - 21.5MB WMV
- Watch the iPod Video Podcast - 17.8MB MP4
- Watch the MP3 Audio Podcast - 3.6MB MP3
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
You can also follow Steve Jones on Twitter: