| A community of more than 1,600,000 database professionals and growing |
| | | The Poor State of Secure Coding Security is becoming a bigger issue all the time. More companies are getting hacked and losing control of data. It seems every week there's a new disclosure from some firm. Recently OneLogin had a breach, which is very disturbing as they provide a single sign on solution for customers. This year we've learned about E-Sports, XBOX, Playstation, IHG, Arby's, River City Media, Verifone, Dun and Bradstreet, and more. At this point, there's no reason for any large organization to wonder if they'll get hacked. They should be preparingfor when they get hacked. The state of coding is poor, with far too many developers understanding how to write secure code. Even trying to learn how to code securely is hard. Too many examples given show poor coding practices. If you search for secure coding practices, you'll get information, but none of the sample applications, none of the common information that most people would use to write code, is returned. This is especially true of data access, where far too many examples use dynamic strings. Even if we had great developers, there are still issues. A look at a survey from O'Reilly and SIG shows that there are still plenty of companies that are interested in security, but don't perform reviews or use tools. Certainly many organizations don't invest in security tools or resources heavily, and many companies don't want to spend extra time worrying about security when there are features to build and deploy. My wish is that large organizations would engage in constant pen testing and review of their systems, looking for vulnerabilities, and patching them. I would hope that insurance companies would start to deny claims when a patch for any software has been available for six months or longer. That might help reduce the number of issues from older libraries not being upgraded. I would also expect that any vendor selling software engage in some security review for their products. In fact, I'd hope that once a company sells a certain number of units, this would be required. I'm still amazed that this isn't a requirement for purchase from more customers, but since most vendors don't bother, perhaps avoiding purchases of un-reviewed software isn't feasible. Maybe it's just as well; even if we did have some sort of review, how many of us would understand what that means? How many of you really understand what PCI or HIPAA compliance means? How well has that helped us? I guess things could be a lot worse than they are today. Security is going to be an issue for a long time. All I can do is try to improve my own skills and ask you to do the same. Learn to code securely and try to improve the software you work on. It might only make a small difference, and you might never know if it helps, but I bet you'll feel better about your own work. Steve Jones from SQLServerCentral.comJoin the debate, and respond to today's editorial on the forums |
| | The Voice of the DBA Podcast Listen to the MP3 Audio ( 4.3MB) podcast or subscribe to the feed at iTunes and Libsyn. The Voice of the DBA podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. |
|
|
|
| | ADVERTISEMENT | | | | NEW SQL Clone - version 1 available now! Create copies of production databases and SQL backups in seconds and save up to 99% of disk space using SQL Clone. Redgate’s new tool removes much of the time and resource needed to create and manage database copies, allowing teams to work on local environments to develop, test and diagnose issues faster. Try it free |
| | | | The industry standard for comparing and deploying SQL Server database schemas Trusted by 71% of Fortune 100 companies, SQL Compare is the fastest way to compare changes, and create and deploy error-free scripts in minutes. Plus you can easily find and fix errors caused by database differences. Download your free trial |
|
|
|
| | | | | Amarendra Reddy Thummeti from SQLServerCentral.com In this article, I will provide a set of examples to showcase the use of OUTPUT clause in capturing the results of the updated rows into a table variable for the UPDATE statements. More » |
| | Additional Articles from SQLPerformance.com Paul White describes temporary object caching in SQL Server – what it is, why it exists, and how to use it to your advantage. More » |
| | Additional Articles from Redgate Prefer tabs but your teammates use spaces? That's not a problem with the brand new formatting options in SQL Prompt. It's now possible to customize, save, and share multiple styles that you can then quickly switch between when working. Here's how it works, and how to get set up. More » |
| | Jason Brimhall from SQLServerCentral Blogs Reporting Services Reporting Services (SSRS) is a tool that permits you to create and deliver feature rich reports. The reports can... More » |
| | Devin Knight from SQLServerCentral Blogs In this module you will learn how to use the Bowtie Chart Power BI Custom Visual. The Bowtie Chart visual... More » |
|
|
| | | Today's Question (by Stanley Kapfunde): For integers that are between 0 and 255, it is recommended to use which data type? |
Think you know the answer? Click here, and find out if you are right. We keep track of your score to give you bragging rights against your peers.
This question is worth 1 point in this category: data. We'd love to give you credit for your own question and answer.
To submit a QOTD, simply log in to the Contribution Center. |
|
|
| Yesterday's Question of the Day |
| Yesterday's Question (by Steve Jones): When using native backups in SQL Server 2016, and choosing to encrypt these backups, what options do I have for the encryption algorithm used for the data?
Answer: Triple DES, AES 128, AES 192, and AES 256 Explanation: Native backups can use Triple DES or AES. The AES key can be 128, 192, or 256 bits. Ref: Backup encryption - click here » Discuss this question and answer on the forums |
|
|
| | | | Ben Whitman from SQLServerCentral.com Simply run this script on any SQL 2008+ server to install a condition and related policy which can be used to check target servers to see if they have any CPU-based power-saving features on. This can be extremely detrimental to performance, especially for parallel queries. Servers are considered compliant by this policy if each of their CPU cores are running at the maximum possible speed. If you find any non-compliant servers, you will probably need to boot into the BIOS of the machine and look for any power-related settings and set them to 'High Performance' or similar. Some notes... If any of your servers are clustered, then this policy will only target the currently active node, so bear in mind that your passive nodes wont be scanned. If you just want to do a quick one-off check on a server which is currently a passive cluster node (or any server for that matter). You can use powershell to just query WMI directly from the machine:
gwmi -class win32_Processor | SELECT CurrentClockSpeed, MaxClockSpeed
Look for any rows where the CurrentClockSpeed is not equal to the MaxClockSpeed. Don't evaluate the policy at a time when you know the target server is currently experiencing high CPU load. If you do, the CPU cores may already have 'woken up' and the policy will see the server as compliant. If you scan all your servers only to find out that every single one of them has power-saving turned on, I recommend staggering the change to turn the feature off for each machine. By making this change, you may well shift some bottlenecks from CPU to I/O for example, and you won't want to be investigating lots of new issues all at once especially after having promised to your manager massive improvements to all the SQL servers in your organisation. If you have never run a WMI-based policy such as this one before you may receive an error when you try to evaluate. If you do, try turning off User Account Control from the Control Panel in Windows or running SQL Management Studio 'as Administrator'. As an alternative to using Policy-based Management - if you don't have SQL 2008 or a central management server for evaluating groups of servers, or you simply want to check all your servers including passive cluster nodes (and even non-SQL servers!) you can run the Powershell command below. You will need the appropriate rights on the remote machines of course... First create a CSV file called servers.csv file and lay it out as in the example below - with the header row containing just 'ServerName' ServerName YourServerName1 YourServerName2 Then run this from the same directory as the csv file in Powershell $servers = import-csv servers.csv foreach ($server in $servers) {$wmiOutput=gwmi -computername $server.ServerName -query "SELECT CurrentClockSpeed , MaxClockSpeed FROM win32_Processor WHERE CurrentClockSpeed <> MaxClockSpeed"; $wmiOutput | select {$server.ServerName}, CurrentClockSpeed, MaxClockSpeed} I do recommend the policy as well though, as it means (if you are using the model of Central Management Server + Enterprise Policy Management Framework) every new SQL server you deploy will get automatically checked. Enjoy! Ben More » |
|
|
| Database Pros Who Need Your Help |
| | Here's a few of the new posts today on the forums. To see more, visit the forums. How Does Preferred Owner Effect Availability Groups - Evening All, I know the rule of thumb is don't touch the Preferred Owner settings (apart from the Priority Order) but... Page life expectancy for xxx is currently 356. - Hi, I got this alert for one DB server. SQL Server instance xxx - The operating system is paging at 5795.33 pages/second. Page life... Attach Database Question - Hi, I was wondering if it is possible to attach a Enterprise Edition database to a Developer Edition instance. I took... Index fragmentation - I have a table with two indexes. It has showing 60% fragmented. So tried rebuild the indexes. Still indexes are showing... SQL server 2014 is very slow - Based on this report(performance monitor) can any one tell why the Sql server is running slow. many application have slow... Query displaying redundant data for a menu item, menu has choices, but displays menu item multiple times with different choices - Ugh, I know that topic was ugly...Ill try to explain this as best I can...I am writing a report for... cluster disk expand - On physical active/passive cluster, needed to expand drive for tempdb by 100 gig. Had windows admin add space but resource... Performance issues by using cursors on a virtual server? - I have a strange case at hand, with a database which uses cursors for data access /* I know, this is... Need Help Getting Max Date - Hello Everyone, I am trying to work with this query to return the latest date (in this case it is userDate2): [code... Find user connections to SQL server tables - I want to check, how many users are connected to any particular SQL Table and cube (SSAS). This will be... Reset SUM during Grouped selection using CTE - Hi all, I've been trying for days to solve a seemingly simple problem. DECLARE @table TABLE (id INT,type_id INT,node_id... Unable to start the SQL Server Agent - I am unable to start then SQL agent. getting below error message when i tried start the agent The SQL Server... Things to consider while creating new table for an application - Hi All, I am going to design a new table for one functionality which we are going to add in our... Converting User SID Binary to String TSQL - Hello All, Basically I'm trying to use TSQL to convert user SIDS from Binary to String and visa versa but I'm... Split column value to rows. - Hi All, I was looking for code to split column value into separate rows.. Any help on this.. like for the example below... UPDATE Duplicates Except for One Record in a Table - Hi All, I need to set a field in a product table for a bunch of products. We have some duplicated... Help with query - Hi all, I'm having a moment, and I can't seem to get the query right. I'm trying to get the actual... ssrs 2008 final report totals - In an existing ssrs 2008 report, I want to add final report totals. I want the total line to be... Change in Salary - Hello all, Can some guide me please. I need a script that will show me changes in a person's salary. I... How to Add Data Conversion task dynamically - I am creating metadata driven SSIS package OLEDB Source to Excel Destination where Data conversion task required and need to... |
|
| This email has been sent to newsletter@newslettercollector.com. To be removed from this list, please click here.
If you have any problems leaving the list, please contact the webmaster@sqlservercentral.com. | This newsletter was sent to you because you signed up at SQLServerCentral.com.
Feel free to forward this to any colleagues that you think might be interested.
If you have received this email from a colleague, you can register to receive it here. | This transmission is ©2017 Redgate Software Ltd, Newnham House, Cambridge Business Park, Cambridge, CB4 0WZ, United Kingdom. All rights reserved.
Contact: webmaster@sqlservercentral.com |
|
|
