Speaking at SQL Saturday South Florida 2024

Posted on June 20, 2024 by way0utwest

I’m heading to SQL Saturday South Florida 2024 next week. This is my second time attending the event and if you’re in the Miami area (or want to take the train down from N Florida), register today and join me.

This is my second time attending the event after missing them for many years.  Andy always said this was a fun place to go, but timing often didn’t work. It did last year and again this year.

I’ll be doing two sessions next week, but the schedule is packed with a wide variety of talks on ML, DevOps, Performance tuning, T-SQL, Fabric and more. I’m doing a talk on Blogging and one on Zero Downtime Deployments.

Register today and let’s connect, learn, and share next week.

Posted in Blog | Tagged , , | 2 Comments

Refreshed in Tuscany

Posted on June 19, 2024 by way0utwest

I returned last Sat, 15 Jun, from 9 weeks of crazy travel. It wasn’t all for work, but it was a long stretch. I spent a good portion of Monday and Tuesday just getting caught up on what was going on, what the status of my workload is, and what I might have missed.

While it’s been a hectic week, it wasn’t that hard, other than a little recovery from jet lag. The last two weeks were in the UK/EU, so I don’t think I was back on Colorado time until Tuesday.

What helped me deal with that long stretch was some vacation. My wife and spent most of the second week in the UK in Tuscany, Italy. We rented a small place in the Cortona region, just outside of Camucia. We rented a car and visited a few wineries, as well as Siena and Montepulciano. You can see the edge of our farmhouse down a private driveway with Cortona on the hill in the distance.

20240612_200800

We had a very relaxing time there, and I’d highly recommend it was a vacation spot.

Part of my time in Australia was also a holiday with my wife where we mostly relaxed and did little, but explored Sydney a bit. Waking up to this view was amazing.

20240429_064800

The point of this isn’t to make you jealous or brag about my holiday, but to remind you that getting away is important and nice. It can help you recharge, even when you’re busy. My trip to NY to see my daughter graduate was busy and hectic, but even then I felt better coming back to work after the change in scenery.

Whether you want one long break a year or lots of small ones (my preference) make sure you get away from work.

Posted in Blog | Tagged , | Comments Off on Refreshed in Tuscany

SQL Injection Is Not Acceptable

Posted on June 19, 2024 by way0utwest

SQL Injection has been a problem for my entire career. Thirty years ago I could have easily just blamed this on ignorance, as most of our developers didn’t think about the nefarious ways that hackers enter data in our applications. These days, there isn’t a good reason for this to keep happening, and the problem is us. I think that we don’t provide good examples or training on secure coding or secure architecture as a normal part of teaching programming. In many organizations, we don’t check for issues and prevent their release. Some do, but many don’t. On top of this, the existing code is usually a poor template for writing future code. I do think Microsoft aims for secure coding in SQL Server but in Windows, there is work to be done there.

A few months ago, I saw an article that noted the US CISA organization and the FBI issued a secure-by-design alert (PDF) that noted there is no excuse for SQL Injection vulnerabilities (SQLi) in modern software. This alert notes that SQLi has been an “unforgivable vulnerability” since at least 2007. Inside the document on vulnerabilities, it notes that a single quote can’t be used in certain fields: username, password, ID field, or numeric field. They also note that co-mingling user data and query data, like constructing queries on demand, is a poor practice.

The alert even emphasizes that developers are engaging in poor practices when they “fail to treat user-supplied content as potentially malicious.”

I agree, and their recommendations are worth reading and implementing. If your boss doesn’t want to spend time on these, point out the bulletin and note that since this is a published advisory, I wouldn’t be surprised to start seeing lawsuits in the US or even insurance claim denials if your software team doesn’t follow these practices. Note that the list includes leadership support of secure coding and secure design principles.

I doubt this has changed a lot, but I think some managers likely see this as a) a good idea, and b) a way to mitigate potential issues down the road. Changing the habits of software developers, updating code snippets or patterns, and even adding linting/static-code-analysis to CI pipelines take time, as does the training for developers. However, it’s something that has to start changing over time to get better at building higher quality, more secure software.

I’d like to see insurance companies refuse to indemnify or cover losses or problems from software that is written from this point forward and is vulnerable to SQL Injection. There are far too many tools out, and software is too critical to allow these types of simple coding errors to proliferate. I’d also be pressuring companies to ensure older code is being actively refactored to reduce the number of vulnerabilities over time for all software they still support.

Steve Jones

Listen to the podcast at Libsyn, Spotify, or iTunes.

Note, podcasts are only available for a limited time online.

Posted in Editorial | Tagged , | 4 Comments

Polyglot Persistence

Posted on June 17, 2024 by way0utwest

I’ve seen the term polyglot persistence floating around Redgate a bit recently in the marketing department. I haven’t really seen this term anywhere, and I wonder if you have. If you have, drop a comment.

The definition is based on the polyglot programming, where you write an app using multiple programming languages. I don’t know a lot of people who do that, and if you do, let me know. I guess some do, since I’ll see things like HTML+C#, or maybe something like Blazor + C#.

In any case, the idea seems to be that you use multiple databases to satisfy your requirements. A few examples might be:

  • SQL Server for most data, Redis to cache shopping carts
  • Oracle for most data, ElasticSearch for full-text searching
  • PostgreSQL for profiles and leaderboards, MongoDB for real-time game actions

I’ve tended to showcase NoSQL + Relational here, but I have seen a few people using two relational stores or two NoSQL stores because it suits their needs. The really common additions (for me) are some type of NoSQL store for performance with more stable, long term data in relational.

I don’t think this covers the relational for OLTP and something else for OLAP/warehousing, as that seems to be an ETL/ELT/transfer of data over time for a different purpose rather than for the same application, but I guess it could cover that.

I think Polyglot Persistence is a good idea, especially when you have complex requirements that aren’t easily solved with one database, even when you have in-memory or search/graph features in your database. Often those don’t perform as well as specialized systems, though there is a level of complexity and the challenge of ELT/ETL’ing the data to/from the second system.

Evaluate carefully, PoC, and test at scale before you decide this is worth the trade.

Posted in Blog | Tagged , , | 7 Comments