SQL Server 2005 Security and the Microsoft Developer's Security Resource Kit
What is the Microsoft Developer’s Security Resource Kit?
The Microsoft Developer Security Resource Kit is a single resource that provides security-related development guidance. Its contents include best practices, how-to guides, code samples and sample applications, training, and white papers on security topics. This must-have DVD is available free for a limited time — you pay only a small shipping & handling charge. The resource kit is proof that developing more secure applications is easier than you thought, and with this free offer, there is no better time to order your own copy.
What kind of tools are included with the Resource Kit?
Tools available on the resource kit include training, code samples and sample applications, how-to guides, security best practices, and development checklists. It also includes an index of tools developers can use to analyze code for security flaws, detect errors, and test for compatibility issues. The resource kit brings all this essential content together in once place so it’s at your fingertips.
Who needs a copy of it?
Every Microsoft developer needs a copy of the resource kit. The Microsoft Developer Security Resource Kit makes it easier to develop more secure applications by putting a wealth of information at your fingertips. The resource kit is essential to developers to get up to speed on the latest security best practices and learn how to incorporate these best practices into their code. For developers who are already familiar with many security best practices, the resource kit also includes numerous useful code samples and sample applications, and access to free tools developers can use to analyze their code.
What, inside the Resource Kit, is of use directly to SQL Server 2000 and SQL Server 2005 developers? How can this be applied to them?
The guidance for SQL developers is relevant to both users of SQL Server 2000 as well as SQL Server 2005. While, the Security Resource Kit does not go into specific security features of SQL Server 2005, it does provide a link for users to order an evaluation copy for just shipping and handling to explore it on their own and compare.
What are the biggest security threats to SQL Server 2000 and SQL Server 2005?
I don’t have any specific information on this. Listings for threats and vulnerabilities for Microsoft products can be found on any number of security research and statistics websites such as www.secunia.com.
Which is the bigger security problem, and why: the code written to access SQL Server or SQL Server itself?
A platform is only as secure as the applications that are written upon it. This is true for all platform providers. Microsoft recognizes the importance of educating our customers and everyone on how to write more secure applications using these best practices and how to leverage the tools and technologies Microsoft has created to help them do this.
What are some of the best practices that SQL Server developers can follow to enhance the security of their application?
The resource kit provides several training modules on protecting and defending your SQL database, numerous SQL Server how-to guides, and a useful tool for executing SQL queries. Specifics include techniques on input validation from the application layer, to use of stored procedures and parameters in their SQL calls rather than allowing free form SQL query access.
What features in SQL Server 2005 have been added to help enhance security from a developer’s perspective?
Here’s an excerpt from the “What’s new in SQL Server 2005” website that helps to answer this question.
SQL Server 2005 makes significant enhancements to the security model of the database platform, with the intention of providing more precise and flexible control to enable tighter security of the data. A considerable investment has been made in a number of features to provide a high level of security for your enterprise data including the following:
- Enforcing policies for SQL Server login passwords in the authentication space.
- Providing for more granularity in terms of specifying permissions at various scopes in the authorization space.
- Allowing for the separation of owners and schemas in the security management space.
A new security model in SQL Server 2005 allows administrators to manage permissions at a granular level and at a designated scope, making management of permissions easier as well as ensuring that the principle of least privileges is upheld. SQL Server 2005 lets you specify a context under which statements in a module execute. This feature also acts as an excellent mechanism for granular permission management.