Security vs speed in databases

Listen on:

Security vs speed in databases: are engineering teams quietly accepting more risk?

Redgate’s 2026 State of the Database Landscape report reveals that people are increasingly willing to accept more risk to be more productive and take full advantage of AI’s capabilities.

Steve Jones, Kellyn Gorman, Grant Fritchey and Pat Wright share their thoughts on that in today’s episode. They share stories from their own careers, debate on whether the decline of the DBA ‘gatekeeper’ role has weakened security practices, how AI is amplifying the problem – and much more.

Read the 2026 State of the Database Landscape here: https://www.red-gate.com/solutions/state-of-database-landscape/2026/

Don’t have time to listen? 11 key takeaways from this episode

“Accepting more risk for speed” usually means misjudging the risk

Most teams making this trade don’t have a real model of what they’re agreeing to. As Steve put it in the episode: “People misassess risk. They say they’re accepting more risk, but really they don’t understand the risk they’re accepting.“

“The internet finds open doors in minutes, not months”

Grant has tested this directly by opening up example databases on cloud platforms: “The moment it’s open, there’s hacking attempts. It’s like I’m opening up little tiny example databases and there’s 1,000 hits a minute trying to hack into it.”

You don’t have to be a target — just a resource

Pat recounted a SQL Server that ended up quietly mining Bitcoin for an attacker who never even touched the data. Kellyn encountered the same pattern, with leaked AWS API keys and crypto miners running up a significant bill.

Retrofitting security onto a privileged-by-default app is brutal

Whether it’s Great Plains demanding SA for everything or Postgres systems with passwords in pg_hba.conf, Kellyn, Steve, Pat & Grant all agreed that adding security later is one of the hardest things in software. As Steve said, “you’re so worried about breaking something, you wouldn’t do it.”

AI is amplifying existing bad habits – not fixing them

The standout line of the episode, from Grant: “It goes back to that 80s commercial. Where did you learn to do drugs? I learned it from you, Dad. The LLMs learned it from us. We’ve taught them poorly and now they’re executing poorly.”

However, there’s a glimpse of how AI could help

Steve described an LLM that, when given credentials in a file, came back unprompted and offered to move them into secure storage. This kind of ‘secure-by-default’ capability is exactly what people want – and need – from AI, but it’s not the norm as of yet.

Defaults beat documentation, every time

That’s Kellyn’s core argument: “Everybody’s talking about policy and governance. If they don’t get software that does it for them, they’re going to lose. We need software that goes in and forces people to do it.”

Friction can be a feature

AWS’s fiddly VPC setup is a real impediment to speed — and that’s exactly why it nudges teams toward more deliberate network design. Azure’s “just let any Azure service talk to any other” convenience is faster, but defaults to a posture most teams wouldn’t knowingly choose.

Legacy systems aren’t the only problem

Kellyn pointed to the OCI breach — which started with an unpatched legacy app — but also flagged that newer architectures like data lakes are creating fresh exposure by democratising access faster than security can keep up.

The ‘zero-day’ window is closing fast

Where teams used to wait months to patch databases, automated attacks now move in within days of a vulnerability being published. Patching cadence has to change accordingly.

Security vs speed? It should instead be ‘visible work vs invisible risk’

Security work shows up in tickets and slower PRs, so it’s visible. The risk it averts, however, doesn’t show up anywhere – until said risk becomes a reality. Then, it shows up everywhere.