SQL Server source code analysis and management adds database security

You may or may not be a developer, but what you do as a DBA has a direct tie-in with source code analysis – and security. If you're hands-on with development, like I know many MCDBAs and others responsible for SQL Server are, you can do source code analysis on your own. Or, if you just handle the database side of things, you can work with your developers to make sure security is an integral part of the software quality lifecycle. After all, it's most often the front-end components of Web and other applications that create the risks associated with your backend database systems.

SQL Server application security is not a very hard sell these days. It's becoming common knowledge that performing both vulnerability/penetration testing and source code analysis are required to ensure overall application security. However, if you're going to get the right people on your side – either management who approves your budget or developers who'll be doing the work – you'll need to present the business value of source code analysis.

Here are three common-sense reasons for performing source code analysis as part of your database security measures:

1. It'll help formalize and beef up your development processes and thus help with competitive differentiation and compliance. This is something auditors, business partners, as well as prospective and current clients like to see.
2. It's very simple to do, as the SQL source code analysis tools have really improved over the past couple of years. It literally just involves installing the software, loading the code, clicking Start, and reviewing the results and recommendations that crop up a few seconds – maybe minutes – later.
3. The cost and effort required are minimal compared to the payoffs.

I can't think of a rationale for not performing source code analysis on a periodic and consistent basis. At least do it once per year or after any major releases. Whether you outsource it or do it in house, SQL source code analysis adds database security and shows that you take your

More on protecting SQL Server databases: How secure is your SQL Server network design? Reorganize permissions in SQL Server 2005 step by step Ten common SQL Server security vulnerabilities you may be overlooking

work as a DBA seriously and are concerned about the image of your organization's long-term gains. It also creates a checks-and-balances system that bolsters accountability inside your department. Plus, you'll benefit from learning a new skill or at least enhancing communication and relationships with your developers.

Innovation is a key part of our job responsibilities in IT. Stepping up to the plate and integrating SQL Server source code analysis and management into your database security measures is an excellent way to manage your applications and stay ahead of the curve. It will most certainly be something that's expected in every project in the near future as simply another component of software quality. I can't think of a better time to start than now.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Implementing security audit in SQL Server 2008 Tutorial: Learn SQL Server basics from A-Z New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks How insiders hack SQL databases with free tools and a little luck Sarbanes-Oxley compliance checklist: IT security and SQL audits Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks SQL/Transact SQL (T-SQL) The sqlcmd utility in SQL Server How to create a SQL inner join and outer join: Basics to get started Avoid cursors in SQL Server with these methods to loop over records Implementing security audit in SQL Server 2008 New datetime data types in SQL Server 2008 offer flexibility Basic objects of T-SQL in SQL Server 2008 Using T-SQL data types in SQL Server 2008 SQL Server 2008 function types in T-SQL Additional T-SQL operations in SQL Server 2008 Using DATEADD and DATEDIFF to calculate SQL Server datetime values SQL/Transact SQL (T-SQL) Research SQL Server stored procedures SQL Server Service Broker Tutorial and Reference Guide SQL Server trigger vs. stored procedure to receive data notification How to use SQL Server 2008 hierarchyid data type SQL Server stored procedures tutorial: Write, tune and get examples Check SQL Server database and log file size with this stored procedure Configure SQL Server Service Broker for sending stored procedure data Find size of SQL Server tables and other objects with stored procedure Track changes to SQL Server 2000 and 2005 with one simple utility Troubleshoot SQL Server 2005 temporary table performance problems Use SQL Profiler to find long running stored procedures and commands RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.