Do Developers Hold The Bag For Latest SQL Injection Exploits?

Reports that the latest SQL injection exploit may have impacted hundreds of thousands of sites running IIS and SQL Server in recent days has put Microsoft, once again, on the defensive. Redmond's tacit response: database developers are holding the bag on this one and need to clean up their act.

There are no new vulnerabilities in SQL Server or IIS, wrote Bill Sisk, a communications manager for Microsoft's Security Response Center, in a blog posting Friday. "To protect against SQL injection attacks the developer of the Web site or application must use industry best practices," Sisk wrote.

So is Microsoft passing the buck by blaming developers? Many are pointing out that while SQL injections can be extremely destructive and costly, any database left vulnerable will execute anything it determines is valid SQL, be it SQL Server, Oracle, IBM's DB2 and others.

"To suggest that the database vendor should somehow know and choose which SQL should or should not be executed, outside of security and data quality constraints is way out of bounds," said Wayne Snyder, president of the user group Professional Association for SQL Server (PASS) in an e-mail. "It would be great if all software could do what we intend, instead of what we say."
Snyder, who is also a managing consultant at Mariner, a Charlotte, NC consultancy and Microsoft business partner, believes threats like this are universal. "I cannot recall the last time I saw any software which spent any effort at all in denying this kind of attack. Lack of money, lack of time, lack of interest, difficulty in decided what to do -- all contribute to the fact what most apps and programmers do not defend against this."

According to various reports, these attacks occur after a hacker injects malicious JavaScript code into the actual database server, which in turn can insert or create one or more malicious scripts that can wreak havoc on the computer of a user visiting the offending Web site.

While the key to protecting against a SQL injection exploit lies with good architecture and development, the United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, advises end users to disable JavaScript and ActiveX controls and, of course, employing good patch management.

Most will agree that it's not an ideal solution by any stretch. For those already infected, DBAs should restore their DBMS "from a clean backup copy and start reviewing your code to make sure all input is properly sanitized; otherwise, you'll just get hit again," writes Scott Gilberson, in a Wired blog.

Should you not have a clean backup of you database Gilbertson points to a workaround by Giorgio Maone's, which simulates the attack but remotes the infected JavaScript. Maone is a database developer in Palermo, Italy, who founded the company InformAction, where he wrote NoScript, a software extension embedded in the Mozilla Firefox browser that is designed to only run JavaScript on trusted Web sites.

In fact Maone has his own thoughts on whether or not the latest SQL injection exploits are a flaw unique to SQL Server. Among other things, he points out that there is no vulnerability specific to Microsoft, at the end of the day "these infections, are caused by poor coding practices during Web site development."

Will this latest exploit be the one to lead IT organizations to put more emphasis (priority and money) into more secure coding practices? That remains to be seen but unless this creates a cataclysmic casualty that has a sizeable impact or threat to the economy or causes a highly publicized event (well beyond the tech media), I wouldn't bet on it.

"Unfortunately many discussions and project plans do not even have this as an item on the risk assessment," Snyder notes. "The sad truth is that we, as developers, DBAs, and project managers are left holding the bag on this -- because it's our bag!"

What's your opinion? Please drop me a line.

Posted by Jeffrey Schwartz on 04/30/2008 at 1:15 PM9 comments

Will SQL Server 2008 Slip Again?

With Microsoft's announcement late last week that it will release SQL Server 2005 Service Pack 3 (SP3) this summer, it begs the question: What's the status of SQL Server 2008?

Officially, it's still on track to be released to manufacturing in the third quarter and Microsoft officials say nothing has changed on that front. But some say they won't be surprised if the RTM actually slips again into the fourth quarter.

"The rumors I hear still say August or September," says Andrew Brust, chief of new technology at twentysix New York and founder of the NYC .NET User Group, answering a question at last week's meeting in New York. But "my gut, just judging by the stability of the latest [community technology preview] is that it's going to get pushed back another quarter."

Brust, who led last week's meeting emphasized his opinion was not based on any tangible knowledge, but he is author of the book Programming SQL Server 2005, and is co-authoring the sequel, Programming SQL Server 2008, with his colleague Lenni Loebel.

"It's all just gut and feel, I do think they will make it out this year, the name compels them to do so," Brust told the group of about 100 developers.

Feeding the speculation that it may slip is the number of bugs that still exist and the time developers need to test some of the new features that are slowly being added to the CTPs, said Joshua Jones, principal of Denver-based Consortia Services, in an e-mail to me.

"If we can't thoroughly test the features, a lot of us are going to be reluctant to endorse the features or implement the features in our own environments," Jones said.

"Additionally, there have been plenty of bugs and a lack of documentation around some new features that make us think we might be running into potential showstoppers," he added. "Of course, they could, at the least minute, choose to remove 'incomplete' features from the RTM and make them available in SP1 for SQL 2008 (a la database mirroring in SQL 2005)."

Francois Ajenstat, Microsoft's director of SQL Server marketing did not respond to an e-mail, but a spokesman says SQL Server 2008 is scheduled to RTM in the third quarter. Regarding any bugs, he aptly says do make sure to report them all so they can be fixed.

Brust told developers not to get too upset if it does actually slip. "They need to be real careful about this," Brust said. "It's not a major, major update in terms of the developer features but there are a lot of data warehouse features and optimizations to make it work faster, and if those things only work most of the time we will have a disaster. I think it's normal and a good thing for the database to suffer a few intermediate setbacks so don't get upset about it."

Meanwhile Jones welcomed the news that there will be a SQL Server 2005 SP3. "Of course, there's not much detail about what will be in the SP, but I think this is a huge step in maintaining good standing with customers," Jones wrote in his blog. "While many people jumped at the chance to go from SQL Server 2000 to 2005, the jump to 2008 will be a little more hesitant, mostly because of the difficulty in moving database platforms in production environments. Hopefully, this SP will give people a 'longer life' in SQL 2005, while giving them the opportunity to more carefully evaluate SQL Server 2008."

What are you finding? Please let me know.

Posted by Jeffrey Schwartz on 04/23/2008 at 1:15 PM0 comments

Women Give Thumbs Up To MySQL

When contributing editor John K. Waters showed up at yesterday’ annual MySQL Developers conference in Santa Clara, Calif., he was struck by the large percentage of women in attendance.

"Take it from a guy who has been attending these events for a decade and a half," he said to me in an e-mail. "There were more women at this conference than I've ever seen at a tech trade show."

Though I found his observation interesting, I probably wouldn't have thought to draw attention to his off-the-cuff mention until I came across this eWeek article, "Where Did All The Girl Geeks Go?" -- which finds that the number of women in IT are on the decline.

Citing a survey by the National Center for Women & Information Technology, women account for just 26 percent of the IT work force, even though they represent 51 percent of the entire labor pool. The real issue however, is that interest in computer science as a field of study is on the decline.

All of that seemed moot at the MySQL Developers conference. Waters said he asked Ann Ruckstuhl, VP of sales and marketing at Zmanda, about it, who said she hadn't really noticed the ratio shift. "But if it's true, I'm not that surprised," she told him. "This industry is based on merit, and there are a lot of smart [people] out there of both sexes."

The company's products are on the long-running Amanda project (17 years to date). The popular open-source backup and recovery software is used by more than half a million servers and desktops running various versions of Linux, UNIX, BSD, Mac OS X and Windows worldwide.

Thanks, John, for sharing that with us. Also at the first conference MySQL Developers conference under its new corporate owner, Sun Microsystems, MySQL’s former CEO Marten Mickos, who is now senior vice president in Sun's Database Group, talked about the roadmap for the next release of the open source database MySQL 5.1. The release candidate is now slated for the end of June, he said.

Posted by Jeffrey Schwartz on 04/16/2008 at 1:15 PM0 comments

Open Source Databases Fight Growing Pains

Is enterprise adoption of open source database servers on the rise? They are certainly making headway but are facing challenges, The Wall Street Journal (paid subscription required) reported yesterday.

The Journal points out what most enterprise database server geeks already know and that's the fact that they still account for a small slice of the $21.6 billion (Gartner's forecast for 2008) database server market. IDC database guru Carl Olofson told WSJ that mostly midsized companies that don't need some of the higher end features of enterprise database servers tend to be the users of open source database servers.

Pointing to virtual call center provider LiveOps, the issue that faces these companies is, as they grow, will these databases be able to scale to handle their growth?

"While open source databases have been widely deployed for Web-tier applications, there has been minimal adoption in the enterprise application tier, and adoption for enterprise applications is at this time limited to certain specific application workloads," writes 451 Group analyst Matthew Aslet, who released a report last month on the impact of open source databases on enteprises.

The 451 Group report says there has been minimal adoption so far of open source databases at the enterprise application tier. In order for that to change, enterprises will expect to see improved service and support and improved functionality.

With next week's MySQL Developers Conference slated to take place in Santa Clara, Calif., all eyes will be on what's next for the company now that it is a part of Sun Microsystems. Mårten Mickos, CEO of MySQL is expected to reveal where he sees Sun taking the open source database developer.

Indeed 451 Group's Aslett suggests that observers should not be too quick to write off the future of open source databases in the enterprise. "The adoption of open source software for non-mission-critical applications and new projects will continue," he writes, "and we expect to see open source databases gradually surround proprietary database deployments."

Posted by Jeffrey Schwartz on 04/09/2008 at 1:15 PM1 comments

Oracle's Open Source Spin

I attended the Linux/Open Source on Wall Street conference yesterday in New York and was intrigued to hear Monica Kumar, a senior director for open source product marketing at Oracle, talk up her company's competence in helping organizations move to Linux and work in development environments such as Eclipse. "Our customers are adopting open source and are demanding our technologies support open source," Kumar said during the opening panel session.

No surprise there, after all Oracle has championed Linux for about a decade and the company typically releases new software first on Linux, then other platforms. But I couldn't help but notice the irony in her remarks, when it came to the obvious omission of open source databases. After her session I asked her about that, particularly in the wake of Sun Microsystems' acquisition of open source database provider MySQL.

"We haven't seen our customers asking for open source databases," she told me. "Not many customers are interested in looking into the code and mucking around with it, and making changes to it. All they care about is 'give me the best support, give me the lowest price of entry'." For that Kumar pointed to Oracle Express.

While MySQL accounts for a small sliver of the overall enterprise database market and poses little short-term threat to the established database platforms, it's also subtraction by addition, since Oracle until now was Sun's preferred database when going to market with its solutions.

For now, Oracle's database business is holding its own. While Oracle's overall revenues for the quarter that ended March 15 failed to meet Wall Street expectations, it is interesting to note that its database business for the period actually grew 20 percent, up from 17 percent a year ago. However that didn't do much for the company's stock price last week, when the company reported earnings were up 30 percent on lower than anticipated revenue, which sent shares tumbling 8 percent. Its stock has since started to bounce back.

So what's your take? Do enterprise developers want to muck inside the code of a database or will the DBMS remain the platform of choice? Send me e-mail or post a comment to this blog.

Posted by Jeffrey Schwartz on 04/02/2008 at 1:15 PM2 comments

Lost In The Shuffle, A New Database Sighting

Sybase may be the perennial forth largest supplier of enterprise database servers in a three database race. But its databases still have clout in a number of key industry segments, including telecommunications and financial services.

Yet last week, all of the attention on Sybase went to its new iPhone support and the fact that it seems to have gotten a respite from Sandell Asset Management Corp., which holds 6 percent of Sybase's shares and has been in conflict with management over ways to improve shareholder value. Without getting into the gory details, Sybase has agreed to purchase $300 million of its own common stock

Lost in all that, Sybase last week upgraded its embedded database offering. Sybase's new Advantage Database Server 9.0 boasts a major boost in performance for large transactions and is designed to support both ISAM table-based and SQL-based data access, making it a viable option for organizations with legacy applications looking to meld their systems with more current technologies.

Advantage is often used by commercial and corporate developers, Sybase said. Among other things, the new release adds Visual FoxPro 9 file format support, the ability to run as a native 64-bit app on Windows and Linux for better memory utilization, and a new visual SQL debugger. According to Sybase, the new debugger lets developers debug SQL scripts, stored procedures, triggers and user-defined functions. The price ranges from $645 for five-users to $7,870 for an unlimited license.

Posted by Jeffrey Schwartz on 03/26/2008 at 1:15 PM0 comments

SQL Server Data Services: What Is It?

My colleague, senior editor, Kathleen Richards was at MIX08 in Las Vegas two weeks ago. Suffice to say she received a brain dump on Silverlight and a number of other big announcements there. When she called from Vegas, my first question was, how's Silverlight? It was quite impressive, she said, adding that there was another big surprise: Microsoft launched at MIX08 SQL Server Data Services, or SSDS.

"Is it a hosted version of SQL Server," I asked her? It's a cloud-based repository service that will offer APIs that enable storage in the cloud, she said (which she also wrote in her subsequent report).

I suspect there are still a lot of developers wondering what SSDS is and what it means to the future of SQL Server and data-driven applications. According to a Microsoft FAQ, it a storage-based service that will enable quick provisioning of on-demand, data-driven and mashup applications and other Web 2.0 apps.

Kate's report from MIX, which is in the current issue of Redmond Developer News, provides a great synopsis of what SSDS is about. Here are some key points from her report:

SQL Server Data Services uses a simple schema based on a model that's defined by three levels: authority (location of the data), containers (unit of partitioning the data) and entities. SQL Server is "the DNA of the service," says Tudor Toma, a group product manager at Microsoft. Currently, it supports SQL Server 2005.

The objective is to provide a low barrier to entry, Toma explains, and then based on developer and partner feedback, Microsoft will add more functionality so that the service is closer to what SQL Server offers today. Toma's group is also considering on-premise service APIs.

Queries are made using a LINQ syntax from C#. "That's how you express the query," says Soumitra Sengupta, a Microsoft program manager, "but you can consume it from PHP, from Ruby on Rails, from whatever environment-it's completely based on REST verbs."

Like Astoria, SQL Server Data Services will support ATOM and the ATOM Publishing Protocol. Microsoft is not going forward with Web3S.

SQL Server Data Services will be a closed beta program until the second half of this year, says Toma. Updates will be released every few months, and the service is expected in the first half of 2009. Interested developers can register to participate in an invitation-only beta on the homepage.

Thanks Kate for that very insightful report. Some other points that bear noting, excerpted from Microsoft's FAQ on SSDS:

Will SSDS support everything in SQL Server?
SSDS will initially only expose a small subset of what is in SQL Server. Microsoft says it plans to extend the capabilities of SSDS over time with such features as binary large object columns, full text search, and richer data types.

How will developers and customers use SSDS?
It is designed to let developers rapidly run on-demand applications, while end users will be able to query and modify any amount data. SSDS will support REST and SOAP interfaces, which are designed to work with any Internet-development toolkit. XML is the primary interface.

What might SSDS be used for?
Data archival, reference data such as catalogs, business functions such as HR services (ie. healthcare records management), and Web facing applications including social networking and picture sharing.

While it remains to be seen whether SSDS will catch on, it is a safe bet that this will not be appealing to those running mission-critical or sensitive data any time soon. Also the proof will be in other details, including proven performance, security, reliability and, of course, price. Since Microsoft is targeting SMBs, the implication is this will be less expensive than deploying in-house, data-driven applications. While the devil will be in the details, SSDS no doubt will be worth watching.

Will this be a flash in the pan, or will SSDS redefine data-driven applications? Please share your thoughts.

Posted by Jeffrey Schwartz on 03/19/2008 at 1:15 PM1 comments

The Database Decision

Does cost drive the decision of what database to deploy? And are the business owners getting the final (or increased) say on that choice? According to Jeremy Lehman, the former chief software architect for Citigroup's global equities group and now founder of New York-based Radical Analytics, cost certainly is an issue in the capital markets sector. And it's the business managers who are raising the issue, said Lehman, who gave his observations during a session at Microsoft's Financial Services Developers Conference in New York yesterday.

Lehman raised the point while saying until a few years ago Microsoft's SQL Server was not ready for prime time in the capital markets. But now he said SQL Server has become a viable choice and is widely deployed.

"It's driven by cost," Lehman said. "The technologists feel threatened by a new skill or feel it makes them less pivotal [but] it often does come down to cost."

Have database servers become a commodity? What drives the decision of what database to deploy in our your organization when rolling out an application. Has the criteria changed lately? Drop me a line at [email protected] or post a comment in this blog.

Posted by Jeffrey Schwartz on 03/13/2008 at 1:15 PM1 comments

Having Trouble Installing SQL Server CTP? Try "L" for Local

Having a tough time installing the latest CTP of SQL Server onto a local system? I ran into Lenni Lobel, a principal consultant at twentysix New York at the Heroes Happens Here launch event in New York and you'll be glad to know you're not alone.

At the partner pavilion during the launch, Lobel was confronted by several would-be testers and learned that a number of them were struggling as well. Some people even gave up. Lobel, who admits he was initially stumped himself, said he searched around and found no documentation on the issue. So he hacked away and ultimately discovered during the installation process when the dialog box comes up where you are supposed to specify the service accounts, you should type "L" for local. "I plugged away at it until it gave," said Lobel, who is also plugging away on a SQL Server 2008 book.

Posted by Jeffrey Schwartz on 03/05/2008 at 1:15 PM0 comments

The Most Important Acquisition In Modern Software History?

When Sun Microsystems this week announced that it completed its deal to acquire open source database vendor MySQL , the company set the stage to over promise and under-deliver. As I wrote last month , there’s plenty of reason this deal has a lot of promise -- but at a $1 billion price tag for a company with a fraction of the revenues, Sun needs MySQL to be a blockbuster to pay off.

Looking to show that potential, president and CEO Jonathan Schwartz (no relaton) pressed the pedal to the metal on the hype barometer by not just re-iterating his contention that buying MySQL would represent the most important deal in Sun's history but "the most important acquisition in the modern software industry."

But the platitudes didn't stop there. "With this acquisition, Sun changes the landscape of the software industry and provides the most complete open source solution for rapidly building and deploying efficient effective and secure Web based applications and services," Schwartz said.

Perhaps most noteworthy was the fact that Schwartz sees MySQL as giving Sun a stack closer in line to that of Microsoft, which of course has SQL Server, as well as operating system, development framework and mid-tier integration platforms in its arsenal.

"What we see customers doing is really migrating toward complete platforms, they have clearly elected a proprietary platform for their desktop, and we see them increasingly looking toward open source solution for the server side." Schwartz said. "To the extent that we can deliver that compete platform, we think there's a massive opportunity, not simply in the world of the software marketplace but the computing marketplace the storage market as well as the network market."

If indeed Sun does pull all of that off and regain the momentum it had before the dotcom bust, perhaps the MySQL acquisition will be remembered as the most important deal in the modern software era.

Posted by Jeffrey Schwartz on 02/28/2008 at 1:15 PM0 comments

A Key To Big Blue's IOD Strategy

I attended a press conference earlier this month in New York, where Big Blue talked up its latest prize -- Cognos Inc., which it acquired last month for $5 billion -- marking the company's largest acquisition ever. Executives at IBM explained why the company abandoned its longstanding stance on partnering with various BI players.

While pledging to be open, Steve Mills, senior vice president and general manager of IBM's software group, said performance management must be an embedded component of its Information On Demand strategy. "It was time to bring these things together and make them one contiguous set of capabilities," Mills said.

Posted by Jeffrey Schwartz on 02/20/2008 at 1:15 PM0 comments

SQL Server 2008 Beta: It's Here!

With just one week to go before Microsoft's big enterprise software launch in Los Angeles, the company has dropped the what it calls the first "feature-complete" beta release of SQL Server 2008.

One feature Microsoft is really touting is its support for compression.

"Some of the performance gains by turning on compression are huge," said Francois Ajenstat, Microsoft's director of SQL Server product management in a recent interview. Microsoft decided to up the ante after IBM did the same back in 2002 with DB2, which has become a popular feature in that platform, according to a report in Beta News.

Other key features in the CTP: improvements to the Declarative Management Framework (DMF), which adds policy management to the database server, and support for full text search. It is available for download here.

Once you test the beta, drop me a line and share your thoughts [email protected].

Posted by Jeffrey Schwartz on 02/20/2008 at 1:15 PM1 comments

Upcoming Events