(cross-posted)
One of my first published articles came out a few days ago in the June, 2005 issue of .NET Developers Journal. This is a security focused issue with Patrick Hynds as the guest editor and some great articles by Duane Laflotte and others.
You can see it online here.
(cross-posted)
This week has been extremely busy with catching up after TechEd, getting the latest SQL Server 2005 June CTP installed on a VPC, playing with the bits, figuring out changes for demos for DevTeach, and actually trying to get some work done to compensate for all these lost billable hours. Whew!
If you are at the conference, I will be speaking on SQL Server 2005 Managed Stored Procedures, SQL Server 2005 Security, and SQL Server 2005 Service Broker. I will be driving up with Sam on early Saturday morning. I am planning on meeting some friends for the first time, plus checking out this great conference everyone has told me about. It should be fun.
(Cross-posted)
Have you tried installing SQL Server 2005 yet? If so, how did it go for you?
There is a survey the SQL Server team would like you to fill out:
The Yukon setup team is looking for feedback related to your setup and installation experience. They've setup a survey that asks for a few demographics as well as your experience and any issues with the setup of the Betas or CTPs.
They are looking for error messages as well as your impressions, so if possible, do an install and take the survey soon afterwards. Save your errors, jot some notes, etc., while installing SQL Server 2005.
If you want to help improve the setup process and spare some others the pain of problems, please take a few minutes to complete the survey. This data is very important to the survey team to capture and help improve the user experience.
I already filled out the survey -- everything was pretty smooth for me in my VPC install in an Windows XP SP2 environment. I do have some security related questions that I have posed directly to the SQL Server security team that I am hoping to get answered soon -- some "gotchas" I found that seemed odd.
As I dig into this more, I am hoping to post information on my SQL Server blog regarding SQL Server 2005 Security. Stay tuned.
(Cross-posted)
I will be speaking at DevTeach this year in Montreal, Canada on June 18-22, 2005.
My topics (so far -- waiting on a couple of other proposals, but this may be enough) are focused on various SQL Server 2005 features:
SQL Server 2005 Managed Stored Procedures
SQL Server 2005 Security
SQL Server 2005 Service Broker
This should be a fun conference and one I am looking forward to attending and speaking.
Rushi Desai is now blogging (RSS) on SQL Server 2005 Service Broker! Rushi spent some time working with the SQL Server engine and Service Broker last year at Microsoft and has been a big help to me in the past with some early questions. Take a look at one of his first posts on Service Broker. Subscribed!
This news account talks about an Australian telecommunications company that was hit by the infamous Slammer Worm. Slammer, which exploits a vulnerability in un-patched versions of Microsoft SQL Server 2000, was first detected almost two years ago. As always, don't forget to patch, and be very careful not to open old doors because “visitors” are still lurking around out there waiting to come in.
Take a look at this resource for helping to secure your SQL Server 2000 databases: SQL Server 2000 Security Tools
No excuses!
(Cross posted)
I have added another topic to the ever growing data track for the upcoming New England Code Camp 3:
SQL Server 2005 Security
This talk will focus on many of the upcoming changes in security for SQL Server 2005.
This is going to be another great conference some new speakers (that weren't there for Code Camp 1 and 2) as well as a lot more content. Interested in speaking? Follow the link above to submit your proposal!
As mentioned by Bob Beauchemin, there was a great night of Service Broker last week as part of the Guerilla SQL Server 2005. Dan Sullivan presented "Night of the Service Broker" with members of the SQL Server Service Broker team. Sounds like a fun opportunity to talk about one my favorite current topics!
As Bob also mentions, a new SQL Server Service Broker Developer Spot was created by Dan. According to Bob:
The site will host discussion forums, articles, tutorials, and also host cooperative development of some interesting service broker apps. It's open now, and they'll be sample applications (including the Service Broker client object model, courtesy of the team) up there shortly.
Sounds great! I have already created an account. Take a look, as I am sure this will evolve into a great resource!
I have posted my presentation and demo code from the SQL Server 2005 Service Broker talk I gave at the Heartland Developers Conference 2004 in Des Moines, Iowa on December 3. You can get them from these links:
HDC2004_SQLServer2005ServiceBroker.pdf
HDC2004_SQLServer2005ServiceBroker.zip
I posted more information about the conference on my other blog.
I will be speaking next week on SQL Server 2005 Service Broker at the Heartland Developers Conference in Des Moines, Iowa on December 3, as I did at Code Camp II in October. At the time, I didn't have as much time to play with the bits, but I have since, and I still feel the same -- I love this new feature for SQL Server! I am putting together some articles after my talk next week to be featured in a few locations. Stay tuned.
By the way, you probably have already heard about the great series of webcasts on SQL Server 2005 planned for December. On Wednesday, December 8, there will be a webcast on “Introducing Service Broker in SQL Server 2005—Level 200”. Mark your calendars.
Check out the write up of the events at SQL PASS this year [by way of Julie Lerman].
I have been spending some time with this new technology for awhile. Apart from my interest in the CLR as hosted in SQL Server 2005, Service Broker is one of the most interesting new technologies to come along. As cross-posted on my other blog:
SQL Server 2005 Service Broker (presentation)
Service Broker is a framework built into SQL Service 2005 that greatly simplifies the creation of reliable, scalable, message-based, asynchronous, distributed database application. A service broker can manage business transactions, which in practice can last for hours, days or indefinitely and span databases. A Service Broker application consists of a set of services, queues, message formats, and dynamically created conversation. Any application that can make a connection to SQL Server or a web service can make use of a Service Broker application. This session will cover the basics of Service Broker and show the implementation of a Service Broker application.
This will be in addition to other topics I will be presenting at
Code Camp II.
If you are in the New England area in October, I will be speaking at CodeCamp II in Waltham, MA at the Microsoft offices. That will take place on the weekend of October 16-17, one week before WIN-DEV 2004.
My database topic (I have a couple of others related to .NET secure development) is:
SQL Server Security (Data Track -- Level 300)
This talk will demonstrate steps and techniques to insure a freshly installed SQL Server database is secure. I will also demonstrate best practices to permit client applications to access SQL Server securely, prevent SQL Injection, and to effectively audit and implement an intrusion detection plan.
I also noticed Kent Tegels will be there speaking on couple of SQL Server 2005 Express topics that weekend. Don't miss it!
Kimberly Tripp, SQL Server guru and MVP, was on .NET Rocks last week. The show is available for download here.
A brief description:
Kimberly Tripp offers critical insights into SQL Server 2000 addressing Indexing, optimizing procedural code, the nightmare of row-based operations, and more. This show is 2.5 hours long!
Like others, I have also installed the new SQL Server 2005 Express version found here: http://lab.msdn.microsoft.com/express/sql/. So far, I like what I see. I will report more as I do some testing (and playing -) ).
There is also a new blog available from the SQL Server Express team (subscribe to the RSS).
They already have a post about the differences between SQL Server Express and MSDE.
I just noticed SqlJunkies is one of the sponsors for WIN-DEV 2004 this year (October, 2004). That's great!
I will be speaking this year under the Security for Developers track. These are my topics.
The Database and Data Access track, chaired by Bob Beauchemin, looks like it is packed with some great information. Here is a list of the topics:
- A Day of SQL Server 2005 and ADO.NET 2.0
- Locking or Versioning? Snapshot Isolation in SQL Server 2005
- SQL Server 2005 Security Enhancements
- XQuery in SQL Server 2005 and System.Xml
- XML data type
- Trees in SQL
- User-defined types and aggregates in SQL Server 2005
- .NET Coding Drilldown in SQL Server 2005
- T-SQL New Features in SQL Server 2005
- Advanced DDL tricks
- Understanding and Optimizing Performance with ADO.NET
- Web Services in SQL Server 2005
- ADO 2.0 classes for providers
- Writing database-independent SQL in ADO.NET applications
- SQL Server Reporting Services Overview
- SQL Server Service Broker
These are presented by the best in the industry: Bob Beauchemin, Joe Celko, Girish Chander, Mark Fussell, Dan Sullivan, Rob Steward, Brian Welcker, Jason Carlson, and Neils Berglund.
Don't miss it!
By way of Clemens:
You read it here first. Kimberly Tripp blogs (rss). If you do anything with SQL Server: Subscribe!
Subscribed!
I haven't blogged on this site for awhile as I have been mostly developing in Oracle over the last year, but I am starting to get back into some SQL Server development for some of my clients, so some new thoughts and ideas are coming back to me regarding SQL Server. I have also posted a couple of posts this past month regarding SQL Server on my other .Net Blog:
TechEd Day 2: SQL Server 2000 Best Practices Analyzer
SQL Server Security Book
This is nice:
Microsoft has launched a SQL Server Developer Center. [by way of Scott Swigart/Early Adopter]
Looking forward to some very good resources from this site.
(cross-posted on my .Net blog site as well)
This past week, I concluded my talk on Security Coding: Best Practices at my work site. This was a continuation of Part 1 that I started last week. In particular, I dealt with SQL Injection and issues with Encryption and Cryptography.
I spent a little more time on SQL Injection, because this is a very interesting security issue to me. Even though you think your data is safe behind a few layers (UI, middle-tier), if you are not careful in how you process your calls to your database using the input from the UI, an attacker can easily gain lots of information about and from your database, including retrieving sensitive data and the structure and names of your tables. An attacker can also drop tables and kill your database completely.
SQL Injection is especially possible when concatenated strings are used for SQL queries. For example, if an input form requests a user to enter his/her name and password, and those inputs are used in a query string to determine access:
sql = “select * from users where userId = '“ + userName + “' and password = '“ + password + “'“;
An attacker can use a single quote (') in the userName input field to stop the string. After that, an “ OR 1 = 1 --” could be appended. This sets up a logical condition that will always be true. Plus, the “--” comments out the rest of the SQL query. So, the above query would be sent to the database like this:
select * from users where userId = '' OR 1 = 1 -- ' and password = ''
This would effectively bring back all user information. Very bad.
The key is checking all user input (“Never, ever trust user input“). Check that numeric fields are numeric. Check that string fields have double “single quotes“ (i.e. use a replace function to change single quotes (') into double single quotes ('')). Use stored procedures for access to any data, and when using stored procedures, implement them using the ADO command object or SQLParameter collection and classes so that variables are strongly typed. Always design and code for security from the first day, and test, test, test.
I have put together a list of further resources I have found useful in learning about SQL Injection as well as how to protect against it.
Advanced SQL Injection
Whitepaper on SQL Injection
Protecting Yourself from SQL Injection Attacks
SQL Injection FAQ