I was flipping through my list of feeds this week for Database Weekly and came upon a blog from MSDN that starts off with this sentence: "Most developers are reluctant to take the responsibility in security and assume that this is the job of web administrators and network engineers."
Could that really be true? Are there software developers in 2012 that think security is only a matter of proper firewall configuration and presenting a small surface area on an operating system? I really hope not, but it would explain the reason that so many systems with code written in the last few years are still vulnerable to SQL Injection.
The post goes on to talk about well known attack types, including SQL Injection and Cross Site Scripting. It provides some examples that I hope developers would understand and be able to avoid. I would urge all developers to learn about secure coding practices, and build them into your snippets and templates. Microsoft has Secure Coding Guidelines, but you should use other resources where possible, or even seek training for your developers.
The post has a couple of great lines in it, including this one: "First of all there is no fully secured system. If you want a fully secure system just turned off the serverJ". That's true, but not very practical for most of us. However we can include additional monitoring and auditing at the database level. We should be able to detect security breeches, especially if we cannot prevent them.
This is one area that I think the database platforms need to mature. There are plenty of articles on securing SQL Server, but we haven't yet built a good, easy to understand framework that provides good monitoring and auditing in a way the majority of DBAs can understand and implement. I'm hopeful that SQL Server will continue to grow and evolve in this area, and we will develop something that helps protect our data better in the future.