Would you post your password on a wall in your office? Of course not, because other employees, the cleaning crew, even guests walking around your office would be able to access your system with your account. When I read Brian Kelly’s post on passwords in files, that’s what I thought of. Sticking credentials in a file, where they’re subject to any kind of search, is a bad idea.
However this happens all the time. Combine this with a few other “common practices” like using sa to connect to a database and building dynamic SQL, and you might as well just set blank passwords and invite someone to have fun with your database. It’s sad that we continue to see these types of software development practices in 2014, and especially poor to see them from companies that sell software.
There is so much information out there on building software that is of higher quality and is much more secure. However all too often I find developers just aren’t implementing these practices. There are probably a myriad of reasons why, and I wish we had more ways to better train people, disseminate the information, and enforce it’s use.
Ultimately we can only do what we can. However I’d encourage those of you that see poor practices taking place to have a word with the developer (internally), or send a note to the vendor. If it’s more important to make a few more dollars than implement better practices, I’d encourage you to publicly call some attention to the matter. Maybe a little exposure to the dark side of software development will pressure managers to require more secure work over time.
The Voice of the DBA Podcast
The Voice of the DBA podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.