Security Outside the Database

SQL Injection on nametag

SQL Injection shouldn't be this easy

It’s 2012.

We’ve known about SQL Injection for years, we’ve known about the issues with high privilege admin accounts for decades, and poor configuration has been an issue ever since we first started networking two computing devices together. Yet these supposedly well known issues are still problems for databases in many companies.

We have a lot of work to do in the database with regards to security. Auditing, tracking, configuring security, these are all challenges, and while SQL Server is getting better with the enhancements they have in SQL Server 2012, there is still work to do on the platform. I do think that Microsoft needs some help and guidance from us here as well, as we implement new features, find problems with using, scaling, or just understanding them, and I hope you will try out the new features and then submit feedback on Connect and write about your experiences.

However the security implemented in the database is often circumvented by poor practices outside the database. There’s little  excuse for developers not to understand SQL Injection and code around it. There’s no excuse for frameworks and sample code to show code that allows SQL Injection. As far as privileged accounts go, that’s a bit of laziness on the part of admins. The modern OSs go a good job of allowing you to elevate from a non-privileged account. So even if you want to be lazy and give more access to developers or non-admins, give them an audited, second account that can be used to track activity. I’d prefer that we educate admins more and work closer with each other to ensure work gets done quickly, but maintaining a separation of duties, if for no other reason than to have a second pair of eyes examine changes for issues.

As far as networking issues go, we have to demand more education from networking people. The days of connecting machines to a hub and worrying about IP addressing and the correct gateways are gone. Networking is much more complicated, and firewall administrators need to better understand their systems.

Education is the key to making the systems work better, as it is in so many parts of life. Demand (if you can) or ask (if you can’t demand) that your fellow workers learn to work with their platforms better and improve the security throughout your entire system.

Steve Jones

The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.