March 18, 2009 at 3:03 pm
Comments posted to this topic are about the item Secure Programming
March 18, 2009 at 10:43 pm
What I find most interesting about the NSA'a list is that the #3 worst practice on their list is specific to SQL: SQL Injection vulnerability.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
March 18, 2009 at 11:15 pm
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.
Avoiding injection on stored procedure
March 19, 2009 at 2:56 am
Michael Valentine Jones (3/18/2009)
It isn't always easy to convince even experienced developers that SQL Injection can be a problem. Look at this current thread.Avoiding injection on stored procedure
I've put a suggestion at http://www.sqlservercentral.com/Forums/Topic678702-8-2.aspx for that one.
March 19, 2009 at 2:58 am
Is it me, or did they miss "Check for NULL"?
March 19, 2009 at 3:00 am
Well, I've just added that list to my browser favourites. It's an excellent resource.
I'm a DBA who, at various points, has had to branch out and learn sufficient about various development platforms to achieve certain business requirements. It's easy enough when learning something new to find out what can/can't be done, but it's actually very difficult to find out what should/shouldn't be done. If you simply use your common sense, you don't know enough about the new environment to identify the risks. If you ask for recommendations from a community (such as this), you'll get chapter and verse, and you'll have problems sifting out the important nuggets.
Therefore, I'll be using that list as a benchmark for any of my applications, and thanks for pointing it out.
Semper in excretia, suus solum profundum variat
March 19, 2009 at 7:03 am
In my experience it's fairly difficult to squeeze any sort of good coding practice out of most developers. They have deadlines, code quality be damned.
As Steve pointed out Security and error handling are significant culprits, but there are others that are less visible, and i think perhaps more common: poor/lack of naming conventions, spaghetti code, useless/missing comments, orphaned functions, etc.
I can't think what else might belong on that list but i'm sure there's something.
We can hope that the NSA list will be used as a benchmark for adequately secure code, but the chances of it being used widely are, i think, quite small.
March 19, 2009 at 8:35 am
Let's go back to the overused analogy of building a house. If you tell a carpenter to build a house that can't be broken into or that is impervious to fire, that carpenter is going to look at you like you are a fool. However, with the help of some specialized subcontractors, namely someone who installs security systems and fire alarms, that person can give you some insulation to the problems of breaking in and fire. They aren't full proof solutions, but they make it tougher on the burglar.
As a programmer or DBA, we can't be expected to be experts in everything. Yes we can use some security best practices, but we also need the help of specialists that focus on security issues in whatever environment we are working in. We also need more standards to help guide us. This would be similar to the Building Codes carpenters and general contractors have to use.
March 19, 2009 at 9:11 am
You've heard the old saw "drive defensively". Well code defensively.
One of my customers switched to a large famous ERP system. The new system had been tested for months. What brought it down on the first day live? Someone posted a memo stating that all users should log on at precisely 10 AM Eastern. :w00t: Jammed the logon queues and, a couple of minutes later, the phone system. Perfectly working software. Killed by several thousand people all watching the clock tick down and hitting the button together.
ATBCharles Kincaid
March 19, 2009 at 9:40 am
Charles, that's a good list. I need to keep that one around.
March 19, 2009 at 9:45 am
Constants aren't and variables do...
March 19, 2009 at 10:28 am
Too many web developers I have met do not understand even half of the items in the top 25 list...
And if they don't get it, management certainly does not within those same organizations.
March 19, 2009 at 10:52 am
Ian Brown (3/19/2009)
Constants aren't and variables do...
What language is it where
1 = 2
is supported?
ATBCharles Kincaid
March 19, 2009 at 11:56 am
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...What language is it where
1 = 2is supported?
I've forgotten enough COBOL that I can't recall if it worked there, but I'm pretty sure that's true and easy to explain in Perl (for small values of easy).
March 19, 2009 at 12:28 pm
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...What language is it where
1 = 2is supported?
The issue isn't whether it's supported in some language, the issue is whether it happens in that language.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
Viewing 15 posts - 1 through 15 (of 27 total)
You must be logged in to reply to this topic. Login to reply