The Trustworthy Computing Security Development Lifecycle

This paper discusses the Trustworthy Computing Security Development Lifecycle (or SDL), a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software.

All about the 'Case'

When installing SQL Server, regardless of versions and editions, SQL Server database administrators tend to choose the default collation and sort-order, which is SQL_Latin1_General_CP1_CI_AS. Though case insensitiveness makes the life of the database developers and database administrator's easy, there are situations where case sensitivity should be enforced just as password checking is enforced.

In this article, I would like to discuss different methods for achieving case sensitivity in a case insensitive database/server.

Automating DTS Execution

Database Transformation Services (DTS) in SQL Server 200 was a breakthrough tool, really paving the way for a low-cost, easy to use, ETL tool. However, it was not a true robust programming environment and contains quite a few quirks that are apparent as you get into more detailed packages. New author Gus Carnu addresses one of those issues with a look at the ExecutePackage task.

Customizing SQL Server Reporting Services with .NET Code

With the release of Reporting Services, Microsoft has provided a truly enterprise-level reporting solution. Reporting Services provides support for the entire reporting life cycle including report authoring, report management, and report delivery

An Identity Crisis

SQL Server includes autonumber of identity columns despite the fact that they are not SQL-92 compliant. There is quite a bit of debate over the use of them in your database, but if you do decide to use them, you should be aware of potential problems. New author Troy Ketsdever brings us a story about his identity crisis and how it was solved.

SQL Server 2005 Security - Part 4

In this article, we will conclude our coverage of security related changes in SQL Server 2005 Beta 2 (although we will continue discussion of improvements in other functionality areas throughout the reminder of this series). The topics we will focus on here are code and module signing, modifications of SQL Server Agent and SQL Profiler operations, as well as monitoring and auditing changes.

Migration to Production

SQL Server is an easy to use product in many ways, much better than the other major RDBMSs out there. However it's source control and ease of moving changes from development to production needs some work. Having a solid process is as important as good tools and new author Grant Fritchey brings us his proven method for moving changes through QA into production.

Creating a User Defined Aggregate with SQL Server 2005

SQL Server doesn't have a Product aggregate function. A recent blog post by Karen Watterson pointed out that Microsoft Knowledge Base article Q89656: Simulating a PRODUCT() Aggregate Function discusses how to achieve the Product aggregate functionality using the POWER function. We e-mailed about it and she challenged me to create a Product aggregate in SQL Server 2005. I decided to accept the challenge.

SQL Server 2000 Security - Part 6 - Ownership and Object Permissions

We have described, so far, authorization based on a predefined fixed server (determining a set of SQL server-wide privileges) and database (applying to database objects and activities) roles. We have also discussed application roles, which makes the level of permissions independent of those assigned to a SQL Server login or a database user account. Now it is time to look into permissions from the point of view of database objects. There are two main factors that play a role in determining how access rights to them are evaluated - their ownership and custom permissions. We will discuss the first one of these topics in this article and will continue with the other one in the next installment of this series.

Securing SQL Backups

SQL Server does many things very well, but securing itself is not one of them. While securing your server requires some effort, there is an area that many people forget. Securing your backups! Brian Kelley, our resident security expert, brings some advice and ideas for ensuring your data will not be stolen.