28 October 2010

  • 7,468 views

  • 0

28 October 2010

7,468 views

 0

SA no more!

Despite it being such an obvious security problem, developers still use the sa login, or assign sysadmin privileges to their Windows login, during their development work. Some take rather belligerent stance on this (“it’s my server; it’s not exposed to the outside world. What’s your problem?!”), but it seems to me that the majority are well aware that it’s a bad practice…and yet persist with it anyway. The use of logins with god-like powers can easily spill over to unit-tests, and even through to user-acceptance testing.

Often, when an application moves into production, it may, depending on the nature of the data that is held, need to conform to a security policy that uses carefully configured access-control techniques, to comply with current legislation. It is often at that point, when sysadmin superpowers can no longer be assigned to logins, that certain features simply stop working! It’s often possible to retro-fit a security design into the database, or to reconfigure the security credentials to avoid using sa, but in some cases, especially with third-party applications, it’s very difficult.

Ultimately, the business needs the application to work. The quickest solution to get the application into production is often to grant sysadmin privileges to the application login, in the production environment, and hope that the auditors don’t notice. On top of this of course, there are the various direct user logins, for reporting and so on, which often get elevated to sysadmin privileges and then quietly forgotten. The consequences for the security and support of the system are obvious, and too painful for the more sensitive DBA to read.

How can this happen? My own view is that, in the typical development team, all the pressure is on hitting measurable targets, and a robust security design isn’t easily measured. So often, a casual attitude to access-control in the development team spills over into the design of the application, and proper testing of testing of authentication and authorization is often completely overlooked. Database security isn’t a fashionable topic either: it is to database development what washing up is to cookery but, likewise, the cost of its neglect can be painful.

Cheers,

Tony.

  • 7,468 views

Tony Davis

Tony Davis is an Editor with Red Gate Software, based in Cambridge (UK), specializing in databases, and especially SQL Server. He edits articles and writes editorials for both the Simple-talk.com and SQLServerCentral.com websites and newsletters, with a combined audience of over 1.5 million subscribers. You can sample his short-form writing at either his Simple-Talk.com blog or his SQLServerCentral.com author page.

As the editor behind most of the SQL Server books published by Red Gate, he spends much of his time helping others express what they know about SQL Server. He is also the lead author of the book, SQL Server Transaction Log Management.

In his spare time, he enjoys running, football, contemporary fiction and real ale.

Follow Tony Davis via

View all articles by Tony Davis

Load comments

Related articles

 01 May 2024
01 May 2024

Technology For Humanity

0
There was a time, when I was in a team that was designing an important IT system for a multinational bank, the testers arranged for perfectly normal office workers from the bank to try the system out. This was long before the days of instant video. The software team watched from behind a two-way mirror. … Read more
0