SQL Server source code analysis and management adds database security

You may or may not be a developer, but what you do as a DBA has a direct tie-in with source code analysis – and security. If you're hands-on with development, like I know many MCDBAs and others responsible for SQL Server are, you can do source code analysis on your own. Or, if you just handle the database side of things, you can work with your developers to make sure security is an integral part of the software quality lifecycle. After all, it's most often the front-end components of Web and other applications that create the risks associated with your backend database systems.

SQL Server application security is not a very hard sell these days. It's becoming common knowledge that performing both vulnerability/penetration testing and source code analysis are required to ensure overall application security. However, if you're going to get the right people on your side – either management who approves your budget or developers who'll be doing the work – you'll need to present the business value of source code analysis.

Here are three common-sense reasons for performing source code analysis as part of your database security measures:

1. It'll help formalize and beef up your development processes and thus help with competitive differentiation and compliance. This is something auditors, business partners, as well as prospective and current clients like to see.
2. It's very simple to do, as the SQL source code analysis tools have really improved over the past couple of years. It literally just involves installing the software, loading the code, clicking Start, and reviewing the results and recommendations that crop up a few seconds – maybe minutes – later.
3. The cost and effort required are minimal compared to the payoffs.

I can't think of a rationale for not performing source code analysis on a periodic and consistent basis. At least do it once per year or after any major releases. Whether you outsource it or do it in house, SQL source code analysis adds database security and shows that you take your

More on protecting SQL Server databases: How secure is your SQL Server network design? Reorganize permissions in SQL Server 2005 step by step Ten common SQL Server security vulnerabilities you may be overlooking

work as a DBA seriously and are concerned about the image of your organization's long-term gains. It also creates a checks-and-balances system that bolsters accountability inside your department. Plus, you'll benefit from learning a new skill or at least enhancing communication and relationships with your developers.

Innovation is a key part of our job responsibilities in IT. Stepping up to the plate and integrating SQL Server source code analysis and management into your database security measures is an excellent way to manage your applications and stay ahead of the curve. It will most certainly be something that's expected in every project in the near future as simply another component of software quality. I can't think of a better time to start than now.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server Security Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL/Transact SQL (T-SQL) SQL language crash course (just enough to be dangerous) Working with IntelliSense in SQL Server 2008 Management Studio SQL Server Mailbag: Stored procedures, triggers and SSRS reports Working with sparse columns in SQL Server 2008 Determining the source of full transaction logs in SQL Server New GROUP BY option provides better data control in SQL Server 2008 Using the OPENROWSET function in SQL Server Loading data files with SQL Server's BULK INSERT statement Importing and exporting bulk data with SQL Server's bcp utility Testing transaction log autogrowth behavior in SQL Server SQL/Transact SQL (T-SQL) Research SQL Server Stored Procedures SQL Server Mailbag: CALs, witnesses and unwanted changes SQL Server Mailbag: Stored procedures, triggers and SSRS reports Top tips and tricks for SQL Server database development Top 10 SQL Server development tips of 2008 SQL Server trigger vs. stored procedure to receive data notification SQL Server errors, failures and other problems fixed from the trenches SQL Server and data manipulation in T-SQL How to use SQL Server 2008 hierarchyid data type SQL Server stored procedures tutorial: Write, tune and get examples Check SQL Server database and log file size with this stored procedure RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.