Taking off the training wheels

Comments

# William said on July 15, 2004 8:43 PM:

Thanks for the comments Bill, I hope to continue with more information on features that I believe can be used incorrectly over the next couple of weeks. My blogs are starting to get bloated and it's not like I make them easy to read...

Oh, and I could not agree more on the stopping sql injection.
Here is a great paper from Cesar Cerrudo
http://www.itsecurity.com/papers/appsecinc1.htm I met him when he came to give a talk on campus while he was attending the seattle black hat conference and he is a great guy.

I loved his presentation, he showed us a tool that given a vulnerable textbox automatically downloaded the entire server database locally. This has got to stop.

# William said on July 15, 2004 11:50 PM:

Angel:

That's one of the best reads I've come across. Wow. The thing is that the info is out there in many regards - some people just don't come across it. But many people know it and just choose to ignore it. Most managers don't understand security and a lot of sales people are willing to sacrifice security in situations where deadlines were over promised. Same holds for performance. If I had a dollar for every time I've heard someone ridiculing normalization as a purely academic pursuit - only to have the performance choke them to death when the app goes live, I'd be living next door to Bill G.

Your company gets it the worst. Some peple can forget to add the service packs, leave a blank SA Password and do all sorts of other stuff and when it blows up - oh- it's Microsoft's fault - "you know there stuff is insecure". Like you can't write crap on Linux or something.

It will be a great day indeed when more programmers take design and security seriously.

BTW, don't worry about bloat - your stuff is great. Now we just need to get Sushil blogging ;-)

# William said on July 16, 2004 1:38 AM:

It took me a while, but I finally found Cesar's tool. It is called Data Thief and it is distributed as a proof of concept by Application Security, INC.

http://www.appsecinc.com/resources/freetools/

Give it a whirl, it is amazing.

# William said on July 16, 2004 1:49 AM:

I'm downloading it now - many thanks for the link.

# William said on July 16, 2004 9:03 AM:

"This feature, why having a ton of power to really improve the way your app runs also has the power to allow you to make a mess." - quote

I was at a meeting a while back with Scott Myers the guy who wrote "Effective C++". What you guys are running into with the new functionality of ADO is very similar to what we were talking about.

Scott said in response to somebody asking him what the worst feature of C++ was and he responded with this - "C++'s worst feature is also it's best feature. It's power to access and control any part of the machine from the processor itself at an assembler level all the way up through the layers to the highest levels of abstraction. It will allow you to shoot yourself in the foot in ways you never imagined possible."

Same thing with the new ADO to a lesser extent, the more powerful something is, also implies that if used incorrectly can mess things up a lot faster than a lesser technology.

# William said on July 16, 2004 9:44 AM:

Hi Andy:

I'm familiar with that book. I think it was Stroustrup if I remember correctly who said somethign to the effect of C++ giving you a much bigger gun than C did, it's just that the gun could easily be used to shoot off your foot instead of just wounding it.

We've obviously talked about the VB 'User' for instance and therein lies the problem. Whenever I learn anythign, I usually make every idiotic mistake one can make along the path and eventually get the hang of it. The only reason I'm employed is b/c I do my best to remember that I will never 'know' eveything or anything close to it, and that there's always a better way to do something. If someone brings it to my attention that somethign I wrote sucks - I used to get mad, particularly in school. This was a sign of pure insecurity on my part. Now I'm actually appreciate of it, even in those occassions when someone's being an a-hole. I'd rather fix it now than have the customers get screwed by it. This is where a lot of people go wrong.

Say you come from VSScript and old ASP. You are used to using dynamic sql and you whip up a web site that works and does the job. Someone comes by and looks at the code and is like 'Dude, you're littered with dynamic sql - paramaterize that stuff or use procs- that's an accident waiting to happen" You have two chioces then effectively. 1) Thank the guy for potentially saving your job 2) Get pissed off at him, come up with some transparent BS that you did it this way on purpose and that's how it should be b/c it works and that's how it was always done.

Wayyyyyy too many #2's out there. Now as much as I like to whine about misuing DB technology, Threading is a whole different beast. They made it very easy to 'get working' in .NET, but it's still something that you shouldn't use unless you took the time to learn it and have been very diligent with it. You don't just throw in another thread to solve any given performance problem.

When MARS hits the street, forget about it. Open up a bar downtown and offer DBA Hour from 6:00 - 10:00 every night - you'll make a killing. On the other hand, there's going to be a lot better stuff written too. The more things are different the more they are the same - ADO.NET, C++ - same story different technology. But the show must go on - and I'm all for it!

# TrackBack said on November 28, 2004 11:29 AM:

ADO.NET 2.0 - things to be careful of