February 17, 2015 at 11:28 am
Agreed. But that goes to management for not providing training in such an important subject. Of course most employers don't train on anything anyway.
February 17, 2015 at 12:44 pm
Eric M Russell (2/17/2015)
But are most data breaches the result of SQL injection or even ad-hoc database access by outsiders?From what I've seen, most of these massive data breaches are done by:
- sniffing unencrypted wifi network traffic (Google Street View)
- malware installed on retail POS terminals (Target)
- privilleged database users who dump a data load to a USB drive and then walk out the door (NSA and Defense Department)
- improperly designed website caching (HealthCare.Gov)
Most massive breaches are malware or loss of backup/usb/laptop.
However there are many SQL Injection vulnerabilities out there and lots of application attacks that occur. They don't need to be massive to be an issue.
February 17, 2015 at 12:55 pm
Steve Jones - SSC Editor (2/17/2015)
Eric M Russell (2/17/2015)
But are most data breaches the result of SQL injection or even ad-hoc database access by outsiders?From what I've seen, most of these massive data breaches are done by:
- sniffing unencrypted wifi network traffic (Google Street View)
- malware installed on retail POS terminals (Target)
- privilleged database users who dump a data load to a USB drive and then walk out the door (NSA and Defense Department)
- improperly designed website caching (HealthCare.Gov)
Most massive breaches are malware or loss of backup/usb/laptop.
However there are many SQL Injection vulnerabilities out there and lots of application attacks that occur. They don't need to be massive to be an issue.
I believe it is possible/probable that a lot of SQL injection attacks go unnoticed. if the only thing accomplished is to steal data, it is realistic to assume a lot of companies are unaware of being hacked. Data loss due to SQL injection could very well be far more common than we are aware of.
Also, I doubt most breaches are reported. At a conference I attended on security, about 1% of the people in the room thought it necessary to contact authorities for issues as serious as child porn being found on company computers, and threats of massive armed violence! The other 99% felt it was perfectly OK to let HR handle it, or the company security staff. This despite the fact that an FBI agent was present and explaining why we need to involve them. I particularly liked his response to the person who asked why he couldn't just delete what he found instead of calling the FBI - "How do you like wearing orange?"
Dave
February 17, 2015 at 12:57 pm
GoofyGuy (2/17/2015)
IT these days looks more like a craft brewery where we keep changing the recipe: sometimes it works, and sometimes it's disgusting.I'm tempted to make a comparison between American brewing and American coding, but shall refrain in the interest of trans-Atlantic comity.
But you didn't refrain. 😉
If you assume that all beers brewed in America are as crappy as the ones you get overseas you really need to get out more. Craft brewing is a big deal on the left side of the pond but that stuff doesn't make it overseas. The stuff that makes it over is swill like Bud Light that has to be served at 1/2 degree above freezing to disguise the awful taste. Trust me we have plenty of good beer, it is just brewed in such small batches it doesn't even get around the country much less the globe.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
February 17, 2015 at 1:05 pm
But you didn't refrain.
* Sigh *
The Yanks still don't do irony. 😉
If you assume that all beers brewed in America are as crappy as the ones you get overseas you really need to get out more.
At the moment, I'm writing from America (Left Coast, as it were). Some decent brews here, out of Dale Bros and Hangar 24, to name a few.
Don't get too big a head, though. For every pint of Dale Bros, there's an ocean of Budweiser. And in the hinterlands (exotic places I've been, like Texas and Montana), they'd rather drink from the ocean.
February 17, 2015 at 1:20 pm
SQL injection has been around for years. Thankfully someone made me aware of the ease in which it could be minimised years ago. For years I have been building apps to a set of rules that I hope eliminates sql injection.
everything from a website comes via web services.
then webservices never ever do a select, delete, Update or insert, They are only ever allowed to execute a stored procedure.
The User used by web services has limited exec permissions on certain procs only.
Any varchar parameter is put thru a "Sanitizing" function to ensure there are no nasties hidden in it. This happens initially before a webservice submits to a proc and again within the proc.
All parameters are validated before any concatenation or use in a query of any sort. This has the added benefit of telling web site developers where they are going wrong.
I am a fan of doing checks as close to the data as possible, So if I am never ever going to be inserting, updating or deleting more than X records at a time from a table, I put a trigger in to stop anything different happening. If on the odd occasion (house keeping/purge or archiving) I need to break that trigger rule then I simple disable the trigger and then reenable it straight after the housekeeping action.
Nothing replaces knowing the data and what is actually happening to it.
This does mean that procs have to be built for everything but it does control security. It also splits the workload and in some ways speeds up development. The web services and website guys work closely with me (database development) and we move the logic/processing to where the tools best suit the job.
Really it is not hard, once the framework is up it is bulletproof. In over 15 years of writing websites I am yet to suffer a successful SQL injection attack. We've see more than a few attempts over the years. We log them so we can see what sort of things are being tried and how we could do it better.
Oh and to the guy with the SearchCustomer proc, please put it in a different place and tell me where, If I get sometime I'll bang a few better options together for you. What you have would not pass any of my tests. Also doing a Like on a text field where you have no idea of the text also may lead to performance issues (on top of injection) , assuming your database is of size. Have you thought about fulltext indexing ?
February 17, 2015 at 1:26 pm
everything from a website comes via web services.
Spot on, just what I wrote in one of my previous posts as well.
I'm not sure what percentage of DBAs know what a web service is, however, or its potential for reducing SQL injection attacks. Certainly our own DBAs needed an education on the subject.
Once knowledgeable, they heartily approved.
February 17, 2015 at 1:50 pm
GoofyGuy (2/17/2015)
But you didn't refrain.* Sigh *
The Yanks still don't do irony. 😉
If you assume that all beers brewed in America are as crappy as the ones you get overseas you really need to get out more.
At the moment, I'm writing from America (Left Coast, as it were). Some decent brews here, out of Dale Bros and Hangar 24, to name a few.
Don't get too big a head, though. For every pint of Dale Bros, there's an ocean of Budweiser. And in the hinterlands (exotic places I've been, like Texas and Montana), they'd rather drink from the ocean.
Sigh. More generalizations. Pardon me if I get slightly defensive that in one breath you say we can't code or make beer. In addition to being an American I prefer good beer and good code. I guess I am a rare breed.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
February 17, 2015 at 1:54 pm
Pardon me if I get slightly defensive that in one breath you say we can't code or make beer.
Pardon me if my joking didn't come across as such.
February 17, 2015 at 1:56 pm
GoofyGuy (2/17/2015)
Pardon me if I get slightly defensive that in one breath you say we can't code or make beer.Pardon me if my joking didn't come across as such.
Let's go share a pint and call it good. 😀
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
February 17, 2015 at 1:57 pm
Agreed, mate! :hehe:
February 17, 2015 at 2:06 pm
GoofyGuy (2/17/2015)
IT these days looks more like a craft brewery where we keep changing the recipe: sometimes it works, and sometimes it's disgusting.I'm tempted to make a comparison between American brewing and American coding, but shall refrain in the interest of trans-Atlantic comity.
Almost unbelievably it is unfair to talk of American craft beers like that nowadays. I had a terrific American IPA just last week.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 17, 2015 at 2:35 pm
Almost unbelievably it is unfair to talk of American craft beers like that nowadays. I had a terrific American IPA just last week.
Gaz, it was indeed an unexpected pleasure to sample some of the craft beers I had in California recently. I'm not an IPA (which California craft breweries seem to produce in dizzying variety) drinker, but I still found a good number of excellent local porters and stouts.
Wonders will never cease.
February 17, 2015 at 2:57 pm
GoofyGuy (2/17/2015)
Almost unbelievably it is unfair to talk of American craft beers like that nowadays. I had a terrific American IPA just last week.Gaz, it was indeed an unexpected pleasure to sample some of the craft beers I had in California recently. I'm not an IPA (which California craft breweries seem to produce in dizzying variety) drinker, but I still found a good number of excellent local porters and stouts.
Wonders will never cease.
I don't like IPAs either but those are nearly as prolific on the US beer palate as Bud Light. It seems that many people here prefer the super hoppy beers. I am in full agreement of porters and stouts though. The darker the beer the better for me.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
February 17, 2015 at 2:59 pm
I am in full agreement of porters and stouts though. The darker the beer the better for me.
Aye, it's best when carved with a fork and knife!
Viewing 15 posts - 31 through 45 (of 75 total)
You must be logged in to reply to this topic. Login to reply