May 23, 2019 at 6:25 pm
I started watching a YouTube video on Azure DevOps. I can't have the sound turned up where I am, so I turned on subtitles. This is as far as I got before I needed to take a guffaw break. I've worked with plenty of databases which deserved this treatment.
The absence of evidence is not evidence of absence.
Martin Rees
You can lead a horse to water, but a pencil must be lead.
Stan Laurel
May 23, 2019 at 7:25 pm
It seems fitting that Entity Framework would be described as modifying databases that way 🙂
May 23, 2019 at 7:45 pm
Wow. Just Wow.
Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
May 23, 2019 at 7:49 pm
Luis Cazares wrote:"They" as Georgia Tech people.
I understand. But who did the injection, and who was tasked with preventing it? Was it an internal or external resource? The details regarding security are as important as the irony.
They haven't released the details. It's only known that it was a web application vulnerability happening since last December and it's now patched.
May 24, 2019 at 12:14 am
Wow. Just Wow. https://www.sqlservercentral.com/forums/topic/query-containing-while-loop-for-dates-taking-increditbly-long#post-3646645
I guess that's the word for it. They need some paid help especially in the area of some training.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 24, 2019 at 1:04 pm
I started watching a YouTube video on Azure DevOps. I can't have the sound turned up where I am, so I turned on subtitles. This is as far as I got before I needed to take a guffaw break. I've worked with plenty of databases which deserved this treatment.
Yeah, this is the ugly truth behind DevOps.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 24, 2019 at 1:08 pm
I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 24, 2019 at 1:35 pm
I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing."
The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is.
It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
May 24, 2019 at 2:09 pm
Grant Fritchey wrote:I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing." The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is. It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
Your research would make a great detailed blog post.
412-977-3526 call/text
May 24, 2019 at 2:14 pm
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing." The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is. It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
I had hopes that the GDPR would actually start to move the needle on this stuff, but I don't think it's going to. It's pretty clear that businesses are going to undermine all the laws and take the teeth out of them so that we can carry with business as horribly usual.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 24, 2019 at 5:51 pm
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing." The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is. It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
I'll also say that we dumb down early examples, POCs, and frameworks too much early on. We provide (and many of us as speakers are to blame), poor practices that people try to build on. I can't quite decide how to make better examples, but I have started to try and ensure I always show stupid long passwords, don't use dynamic SQL in an app view, etc. Give someone more secure copy-pastable code.
May 24, 2019 at 5:53 pm
I had hopes that the GDPR would actually start to move the needle on this stuff, but I don't think it's going to. It's pretty clear that businesses are going to undermine all the laws and take the teeth out of them so that we can carry with business as horribly usual.
I think it is, but slowly, and not consistently. Bigger companies keep finding ways around them, but smaller companies are doing a better job in many cases. I've been surprised how much better some of the data catalog stuff has taken off, and there do seem to be better new code. The hard part is little value in changing old code unless you get hacked.
Most managers (even some devs) would rather roll the dice and leave old code alone
May 27, 2019 at 7:00 pm
Grant Fritchey wrote:I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing." The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is. It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
Have you guys looked at the "SQL Injection Hall of Shame"? http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
May 28, 2019 at 11:03 am
Have you guys looked at the "SQL Injection Hall of Shame"? http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
Oh yeah. It's part of my presentation.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
May 28, 2019 at 11:22 am
Ed Wagner wrote:Grant Fritchey wrote:I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing." The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is. It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.
Have you guys looked at the "SQL Injection Hall of Shame"? http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
I didn't know about that one. Thank you, Wayne. It'll be included in future versions of that presentation.
Viewing 15 posts - 63,616 through 63,630 (of 66,738 total)
You must be logged in to reply to this topic. Login to reply