My initial goal of documenting and exploring SQL Server Row Level Security (RLS) was to show the basic functionality and focus on a few performance and administrative items. I also wanted to confirm my base assumption that it is very secure. This security makes it useful in many situations to segregate data by user groups, … Read more
The app services in the title can be function apps, web apps or more. We can deploy the app services on the native app service environment provided by Microsoft or using containers. What’s the different between using the native environment or using containers? The differences aren’t many and it’s not easy to identify when it’s … Read more
There’s more to security in MySQL than user account privileges. In this article, Lukas Vileikis explains the other components of MySQL security.… Read more
MFA and conditional access policies are powerful tools for our cloud security, but they are full of tricks. I don’t pretend to cover the basics here. You know you can create conditional access policies to request MFA authentication from the users. You also know the fact the default configuration (which you should avoid) will request … Read more
Dynamic data mask is a very interesting security feature allowing us to mask critical fields such as e-mail, phone number, credit card and so on. We can decide what users will be able to see the value of these features or not. This feature faced many flaws when it was released, but I believe it’s … Read more
In this blog, I want to explore what you can do to block the owner of a database from doing stuff in the database they “own”. Own is a strange term, because really there is just one user that is listed as owner, but there are there are three users who essentially are owner level, … Read more
The danger of Cross-Site Scripting (XSS) has to be dealt with in any web application. You do this by validating the input from all possible channels. by constraining it in terms of its range, type and length, and by encoding the output from views. ASP.NET has some built-in validation of requests that can be extended to make it more effective, but this approach has changed with ASP.NET Core to place the onus on the application developers to provide the middleware to perform effective validation that is fine-tuned to the application. Dino Esposito explains.… Read more
SQL Server Encryption is an essential part of what is required for protecting data. Column-level encryption can be a very effective way of doing this. In the first in a series of articles on the theme of SQL Server Encryption, Robert Sheldon once more makes it all seem easy.… Read more
For many developers, database security and Access control is just something that gets in the way of development work. However, several recent security breaches have had devastating consequences and have caused a change in attitude about the value to any organisation of having database applications that meet industry standards for access control and security. The problem, however is in admitting that you have a problem and finding answers to those problems you are just too shy to ask in public. … Read more
What is wrong with the Enterprise Data Warehouse? Quite a lot, it seems. By taking the narrow view that the struggle is that of accommodating and interrogating huge quantities of data, then initiatives such as the Virtual Data Warehouse and Logical Data Warehouse could make sense. But what about data quality, security, access control, archiving, retention, privacy and regulatory compliance?… Read more
If you are still storing passwords with MD5 hashing you're doing it wrong. The .NET platform provides a Cryptography library that allows you to develop PBKDF2 user authentication to the standards of the Open Web Application Security Project. Tom Fischer explains the background, shows a solution, and discusses the issues.… Read more
It is no good doing some or most of the aspects of SQL Server security right. You have to get them all right, because any effective penetration of your security is likely to spell disaster. If you fail in any of the ways that Robert Sheldon lists and describes, then you can't assume that your data is secure, and things are likely to go horribly wrong.… Read more
Access-control within the database is important for the security of data, but it should be simple to implement. It is easy to become overwhelmed by the jargon of principals, securables, owners, schemas, roles, users and permissions, but beneath the apparent complexity, there is a schema-based system that, in combination with database roles and ownership-chaining, provides a relatively simple working solution.… Read more
ASP.NET MVC provides a way of providing declarative validation of user inputs. It removes a lot of the tedium of this important task. Nick Harrison explains how to do it, and also points out why it is so important to provide input validation… Read more
A lot of the routine jobs demanded of a DBA can be automated, but a tougher prospect is to automate these jobs in a way that the requestor rather than the DBA can actually set of the job running themselves without compromising security and without risk. Is it true to say that some tasks can be made self-service? In the final part of his series, Joshua considers delegation.… Read more
Security is in the news again. It seems there’s no greater click-bait than a story about indecent photos of beautiful young Hollywood actresses stolen from their iPhones. Find a way to rope a cute kitten into the story and the Internet might very well explode. The current theories abounding seem to suggest that the vulnerabilities lay not with Apple, but… Read more
It is important to set up SQL Server Agent Security on the principles of 'executing with minimum privileges', and ensure that errors are properly logged and alerts are set up for a comprehensive range of errors. SQL Server Agent allows fine-grained control of every job step that should allow tasks to be run entirely safely even if they occasionally need special privileges.… Read more
It is a question that almost anybody working in IT occasionally ask themselves. 'How can I best develop my career to make sure my skills and experience remain in demand?' The questions may be spurred by a variety of reasons, including job-insecurity, dissatisfaction, or a wish for career advancement. So what advice would you give? Buck Woody tackles the difficult question with some straight-forward advice..… Read more
This article is an extract from the book Tribal SQL. In this article, Kevin Feasel explains SQL injection attacks, how to defend against them, and how to keep your Chief Information Security Officer from appearing on the nightly news.… Read more
Securing enterprise business-critical data is as important for DBAs as database tuning and data protection. Oracle provides comprehensive and powerful security controls/solutions to ensure data privacy and data security which will help with meeting regulatory compliance. Oracle supports the following security controls: Data Masking Advance Security (TDE, Data Redaction) Label security Virtual Private Database (VPD) Fine Grained Auditing (FGA) Data… Read more