Jan 8 2009   6:10PM GMT

First GROAN of the New Year

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.

Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID – but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.

Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.

KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Suzanne Wheeler
    I am so glad you share all the boneheaded things you come across. It might just give me a better chance at recognizing a bad configuration before it's too late. With the variety of businesses being compromised increasing I no longer feel so safe.
    360 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: