As a DBA, you already have a lot on your plate, but may I suggest adding one more critical element to your work? It's source code analysis – looking at security vulnerabilities from yet another perspective. SQL Server source code analysis has become one of the essential requirements for good security and it's one that will help take your job to the next level. It'll also help set you apart from the crowd – something we can all benefit from to keep us moving forward.
You may or may not be a developer, but what you do as a DBA has a direct tie-in with source code analysis – and security. If you're hands-on with development, like I know many MCDBAs and others responsible for SQL Server are, you can do source code analysis on your own. Or, if you just handle the database side of things, you can work with your developers to make sure security is an integral part of the software quality lifecycle. After all, it's most often the front-end components of Web and other applications that create the risks associated with your backend database systems.
SQL Server application security is not a very hard sell these days. It's becoming common knowledge that performing both vulnerability/penetration testing and source code analysis are required to ensure overall application security. However, if you're going to get the right people on your side – either management who approves your budget or developers who'll be doing the work – you'll need to present the business value of source code analysis.
Here are three common-sense reasons for performing source code analysis as part of your database security measures:
- It'll help formalize and beef up your development processes and thus help with competitive differentiation and compliance. This is something auditors, business partners, as well as prospective and current clients like to see.
- It's very simple to do, as the SQL source code analysis tools have really improved over the past couple of years. It literally just involves installing the software, loading the code, clicking Start, and reviewing the results and recommendations that crop up a few seconds – maybe minutes – later.
- The cost and effort required are minimal compared to the payoffs.
I can't think of a rationale for not performing source code analysis on a periodic and consistent basis. At least do it once per year or after any major releases. Whether you outsource it or do it in house, SQL source code analysis adds database security and shows that you take your
work as a DBA seriously and are concerned about the image of your organization's long-term gains. It also creates a checks-and-balances system that bolsters accountability inside your department. Plus, you'll benefit from learning a new skill or at least enhancing communication and relationships with your developers.
Innovation is a key part of our job responsibilities in IT. Stepping up to the plate and integrating SQL Server source code analysis and management into your database security measures is an excellent way to manage your applications and stay ahead of the curve. It will most certainly be something that's expected in every project in the near future as simply another component of software quality. I can't think of a better time to start than now.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.