Archive for June, 2008

Sunday, June 22nd, 2008

SQL Injection and separation of duties

Adrian Lane writes in his blog entry about separation of duties on the application level. While I agree with his sentiments I also know how hard it is to do so from the application development side. In most applications , database connections are using connection pooling. Creating such a separation makes the development process a [...]

No Comments » - Posted in SQL injection, security by Slavik

Friday, June 20th, 2008

Mass SQL Injection attack is still out there

Well, it was an interesting day today for us in Sentrigo. One of our customers was being attacked by this mass SQL injection and since our software identified the attack he came to us to help him cope with the situation. As explained in other places, the attack takes advantage of vulnerable web sites and [...]

6 Comments » - Posted in MS SQL Server, SQL injection, security by Slavik

Monday, June 2nd, 2008

So, you think you’ve removed that sensitive data (part II)

As I wrote in a previous post, truncating tables or scrambling content might not remove the actual data from the datafiles. The examples I gave in that post were Oracle related and now I’ll show the same using MS SQL Server 2005. I’d like to thank Dmitriy Geyzerskiy for providing the actual working example.
create database [...]

No Comments » - Posted in DBA, MS SQL Server, insider threat, security, technical tips by Slavik