SQL Injection, still there after all these years

Security is a thankless task, your best work goes unnoticed and if you let down your guard for a minute you can be front page news, like the Daily Telegraph (interestingly on the Guardian web site).  In this case the method of attack is old chestnut, SQL Injection which dates back to 1998.

As a DBA there  isn’t been much you can do to stop this as it is the code in the application run by an authenticated user that is doing the work.  There are lots of tools and advice to help developers write secure code which include the following from Microsoft:

• Source Code Analyzer for SQL Injection
• SQL Server Security Blog
• Security Development Lifecycle(SDL)
• Some top tips on what to do to mitigate SQL injection attacks in your code from the SDL Team blog blog

As a DBA you can at least track what’s going on to help mitigate future attacks of this type. In SQL Server 2008 Enterprise edition you can use the audit feature which is  much easier to enable than setting up trace and takes less overhead.  It can also if necessary output to the application or security log as well to to file for later analysis.  For more on audit check this TechNet Article by the SQL Customer Advisory Team (SQLCAT).

This is just one area where database are under threat and so I will continue this theme throughout the week to cover some of the other things you can do to keep your data secure (and possibly your careers as well!).

Technorati Tags: SQL Server,T-SQL,SQL injection,Security