SQL Server source code analysis and management adds database security

You may or may not be a developer, but what you do as a DBA has a direct tie-in with source code analysis – and security. If you're hands-on with development, like I know many MCDBAs and others responsible for SQL Server are, you can do source code analysis on your own. Or, if you just handle the database side of things, you can work with your developers to make sure security is an integral part of the software quality lifecycle. After all, it's most often the front-end components of Web and other applications that create the risks associated with your backend database systems.

SQL Server application security is not a very hard sell these days. It's becoming common knowledge that performing both vulnerability/penetration testing and source code analysis are required to ensure overall application security. However, if you're going to get the right people on your side – either management who approves your budget or developers who'll be doing the work – you'll need to present the business value of source code analysis.

Here are three common-sense reasons for performing source code analysis as part of your database security measures:

1. It'll help formalize and beef up your development processes and thus help with competitive differentiation and compliance. This is something auditors, business partners, as well as prospective and current clients like to see.
2. It's very simple to do, as the SQL source code analysis tools have really improved over the past couple of years. It literally just involves installing the software, loading the code, clicking Start, and reviewing the results and recommendations that crop up a few seconds – maybe minutes – later.
3. The cost and effort required are minimal compared to the payoffs.

I can't think of a rationale for not performing source code analysis on a periodic and consistent basis. At least do it once per year or after any major releases. Whether you outsource it or do it in house, SQL source code analysis adds database security and shows that you take your

More on protecting SQL Server databases: How secure is your SQL Server network design? Reorganize permissions in SQL Server 2005 step by step Ten common SQL Server security vulnerabilities you may be overlooking

work as a DBA seriously and are concerned about the image of your organization's long-term gains. It also creates a checks-and-balances system that bolsters accountability inside your department. Plus, you'll benefit from learning a new skill or at least enhancing communication and relationships with your developers.

Innovation is a key part of our job responsibilities in IT. Stepping up to the plate and integrating SQL Server source code analysis and management into your database security measures is an excellent way to manage your applications and stay ahead of the curve. It will most certainly be something that's expected in every project in the near future as simply another component of software quality. I can't think of a better time to start than now.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Sarbanes-Oxley compliance checklist: IT security and SQL audits Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks Get your SQL Server security goals in order How secure is your SQL Server network design? Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed How to set SQL Server password for SA login Creating a login in SQL Server 2000 Enterprise Manager SQL/Transact SQL (T-SQL) Create DDL table in SQL Server 2005 to audit DDL trigger activity SQL and SQL Server Tutorial and Reference Guide Retrieve XML data values with XQuery in SQL Server 2005 How to construct and use SQL OUTER JOINs optimally How to use the LEFT vs. RIGHT OUTER JOIN in SQL Using the FULL OUTER JOIN in SQL SQL OUTER JOIN sample uses SQL OUTER JOIN sample statements for queries Stored procedure to monitor long-running jobs in SQL Server 2000 Five sqlcmd features to automate SQL Server database tasks SQL/Transact SQL (T-SQL) Research SQL Server stored procedures Check SQL Server database and log file size with this stored procedure SQL and SQL Server Tutorial and Reference Guide Configure SQL Server Service Broker for sending stored procedure data Find size of SQL Server tables and other objects with stored procedure Track changes to SQL Server 2000 and 2005 with one simple utility Troubleshoot SQL Server 2005 temporary table performance problems Use SQL Profiler to find long running stored procedures and commands Stored procedure to monitor long-running jobs in SQL Server 2000 Using BULK INSERT to insert rows from SQL Server dataset to table SQL Server query to import database names RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.