 | A community of more than 1,600,000 database professionals and growing |
| | | Better Static Code Analysis and Security Scans I was listening to a talk from Stefan Simenon on their CI/CD transformation within ABN AMRO, a large financial company. One of the interesting things he noted was that they consider open source to be less secure, possibly with more vulnerabilities than in house written software. Their build pipeline will fail if a developer starts using new OSS components. I find that interesting, as the DORA 2018 State of DevOps report sees more use of OSS software in companies that are adopting DevOps. In general, I think that having many people able to view the source and find errors makes companies feel that open source is more secure. I think that's likely more true, though it's a bit of a philosophical argument. We can look at some data, but it's hard to prove that one or the other is empirically more secure. The thing I agree with is that using new components without some review is not a good idea. Whether this is written in-house, copied from an Open Source project, or purchased from a vendor, we need to perform some testing and analysis of the code or component. This is also true in database code. When we get a query from a developer, it's often easy to determine what is happening, but when the size of code grows, or there is a large stored procedure, we often don't perform a detailed analysis. What's worse, we don't have good static code analysis tools for database languages. As much as I like what Redgate Software has done with SQL Prompt, I know this is rudimentary and is built to avoid code smells. There isn't any detailed look at whether the code is secure, or if there might be unintended effects. There aren't really any good tools I've seen, though I'm not even sure what I'd want here. How can a tool tell me that querying 4 tables and updating 3 more is OK, but an insert to some other table in a separate database is bad. That insert to the other database might be what a malicious actor wants to copy data elsewhere. The best thing to me would be some analysis of what objects are being touched and how, which could help alert developers to potential issues. Building static code analysis tools for database languages is hard, but it's something that our industry needs to do. This is even more true when we start to have more programmability features, like the ability to execute other languages inside of our database engines. In those cases, not only do we need to ensure the code for another language passes test, but that we understand what types of interactions our database code has with those modules. Steve Jones from SQLServerCentral.comJoin the debate, and respond to today's editorial on the forums |
| The Voice of the DBA Podcast Listen to the MP3 Audio ( 3.5MB) podcast or subscribe to the feed at iTunes and Libsyn.  The Voice of the DBA podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. |
|
|
|
| | ADVERTISEMENT |  | | Benchmark your Database DevOps maturity level Get a better understanding of how advanced your current processes are, receive recommendations for improvements, and see how your maturity level compares with that of your peers. Complete the Database DevOps Maturity Assessment |
|  | | Redgate University Self-paced online training courses with easy to follow classes on getting started, exploring advanced features, and making the most of Redgate products. Learn the fundamentals, best practices, and top tips from the experts - Redgate’s Microsoft Data Platform MVPs and engineers.
Start Learning |
|
|
|
| | |  | Bill Pearson from SQLServerCentral.com Return, in order, a specified number of elements from the end of a set. SSAS Maestro, SQL Server MVP and Business Intelligence Architect Bill Pearson introduces the MDX Tail() function. More » |
 | Press Release from Redgate Resilient T-SQL code is code that is designed to last, and to be safely reused by others. The goal of defensive database programming, the goal of this book, is to help you to produce resilient T-SQL code that robustly and gracefully handles cases of unintended use, and is resilient to common changes to the database environment. More » |
 | The 2018 Accelerate State of DevOps Report from DORA specifically calls out database development as a key technical practice which can drive high performance in DevOps. It’s an interesting shift in our understanding of what should be included in DevOps workflows because it moves the database from being a bottleneck in the process to being a participant. At the same time, however, new data protection laws are coming into play and consumers are more aware than ever before of how their privacy can be compromised. So how can the promise of releasing changes to the database faster and easier be balanced with the need to keep data safe and remain compliant with legislation? More » |
 | Additional Articles from MSSQLTips.com In this tip we look at how we can use SQL Server to auto generate a backup script for NetBackup to make sure we backup the required databases. More » |
 | david.fowler 42596 from SQLServerCentral Blogs What’s the deal with logins and availability groups? I’m sure that we all, when creating a login that accesses a database... More » |
| | Igor Micev from SQLServerCentral Blogs This post is about some queries and scripts that I use in my daily work on SQL Server. Some of... More » |
|
|
| | | Today's Question (by Steve Jones): What type of data structure is returned from this code? airports = "DEN", "LHR", "IAH", "LAX", "IAD", "ORD" type(airports) |
Think you know the answer? Click here, and find out if you are right.
We keep track of your score to give you bragging rights against your peers.
This question is worth 1 point in this category: Python. We'd love to give you credit for your own question and answer.
To submit a QOTD, simply log in to the Contribution Center. |
|
|
| |
| ADVERTISEMENT | | The company's new IT initiative, code named Phoenix Project, is critical to the future of Parts Unlimited, but the project is massively over budget and very late. The CEO wants Bill to report directly to him and fix the mess in ninety days or else Bill's entire department will be outsourced. Get your copy from Amazon today. |  |
|
|
|
|
|
|
| Yesterday's Question of the Day |
| Yesterday's Question (by Steve Jones): The Christmas Price Index measures the current cost of the gifts from the 12 Days of Christmas. Currently this is an amazing $39,094.93, up 1.2% from last year. What is the most expensive gift on the list?
Answer: select cost from TwelveDaysGifts where gift = 'seven swans-a-swimming' Explanation: The swans are the most expensive gift again. Merry Christmas Ref: Christmas Price Index - click here
» Discuss this question and answer on the forums |
|
|
| Database Pros Who Need Your Help |
| | |
| This email has been sent to newsletter@newslettercollector.com. To be removed from this list, please click here.
If you have any problems leaving the list, please contact the webmaster@sqlservercentral.com.
| This newsletter was sent to you because you signed up at SQLServerCentral.com.
Feel free to forward this to any colleagues that you think might be interested.
If you have received this email from a colleague, you can register to receive it here.
| This transmission is ©2018 Redgate Software Ltd, Newnham House, Cambridge Business Park, Cambridge, CB4 0WZ, United Kingdom. All rights reserved.
Contact: webmaster@sqlservercentral.com |
|
|