I think Troy Hunt is an incredible thinker. His view and work to improve security in infrastructure and applications is incredible and valuable. I think the focus on better passwords and the implications of data breaches has grown in the world, perhaps due to Troy’s work with https://haveibeenpwned.com/. Plenty of non technical people know about the site, and more than a few government officials.
Recently I read a piece from Mr. Hunt on passwords and why they will continue to exist for some time. I agree that the understanding and convenience of passwords makes them a tool that will remain widely deployed for some time. I like the additional verification from Google and other sites with a text or message on a phone for MFA (multi-factor authentication), and would love to see that in SQL Server, but this doesn’t eliminate the need for passwords. It just adds to them.
The idea of password has a parallel in database development as well. One of the most basic things that we do as data professionals is fix problems on our systems. We do this in various ways, but I’d bet almost every organization has an individual that has made a change in a live, production database. Why? Because it’s easy and it needs to be done sometimes to fix code, data, or something else quickly. We know it’s not ideal, but it works.
I try to talk about compliant Database DevOps, about having a process, the need for evaluating code and data changes, about limiting access to production, about ensuring every statement is tested elsewhere, about even masking/anonymizing/generating data in dev/test environments. Most of us know these are good ideas, and likely quite a few of us would like to adopt them. Why don’t we? Part of it is the ease with which we get things done. Another part is the success that we have with our current process.
We fix things, we add indexes, we correct typos in code, we adjust our deployment to succeed, even though the scripts had problems. We roll forward constantly, coding by the seat of our pants, and for the most part our organizations continue to function well. Brent Ozar’s recent survey on production data in development shows that in some cases there isn’t a security risk, but quite a few times expediency and troubleshooting mean we work in production or copy data.
I still think DevOps is the better way to move development forward. At Redgate, we have a suite of tools that help you smooth database development to reduce mistakes and problems. Not because you can’t be successful the way you are, but because you can go faster, make more experiments and changes, and deploy on demand rather than as a special event. We help you save time, which should translate into your highly paid staff spending time on creative new solutions, not fixing tedious problems. We even expect you’ll do things in production, which is why DLM Dashboard was built.
We’re not the only vendor doing this. Plenty of others are trying to help you build a smoother database DevOps process, including Microsoft. Most expert software developers know that DevOps is a better way to build software that focuses and takes advantage of the creativity of your developers, while reducing the time spent on non-creative work. I, and many others, feel that the database needs to be a part of this to be as successful as we can be.