I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.
Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID – but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.
Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.
KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.