I just found out that I’ll be doing a full day, post-conference session on SQL Server 2005 security at SQL Server Magazine Connections at DevConnections in Las Vegas this November.
I’m excited beyond words! I’ve wanted to do this for a long time, and we’re going to geek out on keeping data safe from villans.
Here’s the draft description:
There are few corporate assets as valuable in the information age as data. Enterprises spend billions to collect and generate it, slice and dice it in every conceivable way to mine marketplace intelligence from it, and replicate and back it up using elaborate, redundant schemes. Yet it is all too common to slack on security. Sure, SQL Server 2005 is designed to be "secure by default," but once you add databases and start letting users and their applications access the server you have already poked holes in the security. SQL Server comes with plenty of features that let you secure data, but it can be hard to get a handle on the right ones to use in your environment. During this day of security, we'll explore myriad security features in SQL Server 2005, including granular permissions and how to design an effective authorization system, owners and schemas, and how they can help secure a database, the security issues and dangers with running SQL-CLR code, how to run T-SQL code in different security contexts, the comprehensive encryption features that can protect data, creating and enforcing password policies, how SQL Server protects catalog views and secures metadata, protecting against SQL injection attacks on the server, and more. You'll see lots of code and get lots of practical ideas for how to secure your database. Prerequisites: You'll need to have a good understanding of the basic database features and functions of SQL Server for this workshop, and it helps to have butt heads with SQL Server a time or two trying to get something to work without completely disabling security.
I’ll post more later as I develop the outline and contents.
OWASP, the Open Web Application Security Project, has finally released its updated list of Top 10 critical Web application security flaws. If you do Web development, I rather stronly suggest that you be familiar with all the vulnerabilities on the list and how to avoid them. If you take care of all 10, you’ll have a reasonably secure site. It won’t be totally secure because new attacks appear every week, and security takes vigilence.
Practice safe computing!