04/30/08 02:19 PM
Posted in data-protection by Mike Markiewicz
You may have heard about the recent SQL injection attacks and how they only affect Microsoft IIS servers. You may have also heard that Microsoft has said that it’s not their fault.
Basically, there are a suprising amount of sites that allow SQL code to be entered and executed, and Microsoft said that it’s not up to them to write good code for you.
This is when us security folks say, “See? You do need us!” While every programmer should be aware of SQL injection, it helps to have a security expert review your code. At the very least, holes that are as obvious and easy to fix as this will be avoided.
Don’t blame Microsoft. Blame organizations that use Microsoft.
IMHO.
— Scott Shorter 04/30/08 02:24 PM #
Guns don’t kill people, internal bleeding, infection, and major organ damage does. Case in point, Microsoft provides the tools, it’s still up to the users to use them properly, and be responsible about it. If that means locking up everything to ensure other’s can’t misuse it, then that’s what should happen.
I’ve been seeing a recent trend in coding these days, of people simply using the samples and tutorial code as actual production. It’s still the developers job to protect the assets of the company, especially if it’s their code that is causing destruction, damage, or loss.
— Tim 05/01/08 10:09 AM #
The Rise of Federations Prevention vs Detection