CFUN-04 Homepage
Central Location of ColdFusion Conference and Seminars
Home
Topics
Schedule
Sessions
Speakers
Directions
Spread The Word
Register Exhibitor Information Survey News Faq's blog Share cfun-04 photos




Professional Web Tools



















More Sponsors:












Speakers
   Charlie Arehart
   Jo Belyea-Doerrman
   Tim Buntel
   Raymond Camden
   Christian Cantrell
   Sandra Clark
   Joey Coleman
   Sean Corfield
   Robert Diamond
   Michael Dinowitz
   Steve Drucker
   David Epler
   Joseph Flanigan
   April Fleming
   Ben Forta
   Shlomy Gantz
   Mark Gorkin
   John Hamman
   Hal Helms
   Simon Horwith
   Larry Hull
   Jeff Houser
   Chafic Kazoun
   Matt Liotta
   Tom Muck
   Rey Muradaz
   Nate Nelson
   Samuel Neff
   Jeff Peters
   Bogdan Ripa
   Neil Ross
   Margarita Rozenfeld
   Stephen Shapiro
   Michael Smith
   Geoff Snowman
   Jeff Tapper
   Dave Watts


LINK TO CFUN & CFUN WILL LINK TO YOU!


Ben Forta




LouLex CFUG
Colder Fusion - Twin Cities ColdFusion User Group
SacCFUG - Sacramento, California ColdFusion Users Group
MMUG-Dublin UserGroup Meeting
 
1  |  2  |  3  | 4  | 5  | 6  | 7  | 8  | 9 | 10  | 11  | 12  | 13  | 14  | 15  | 16  | 17  | 18  | 19  | 20  | 21  | 22  | 23  | 24  | 25  | 26  |  27  | 28  | 29  | 30  | 31  | 32  | 33  | 34  | 35  | 36  | 37  | 38  | 39  | 40  | 41  | 42  | 43  | 44  | 45

Back To Interview list

Michael Smith: I am talking with Dave Watts about his CFUN-04 talk "Introduction to SQL Server 2000 Security". So why should CF programmers care about security Dave?

Dave Watts: They should care because they don't want to get fired, or sued!

MS: Ouch! I guess if hackers break into your site and steal confidential data that could happen. What should developers know?

DW: Writing applications that are exposed to the public, or to any untrusted users, requires the developer to know about security issues inherent in the environment in which those applications run. It isn't enough to have competent system administrators, since those administrators often don't understand what web applications do or how to secure them. I suspect that most CF programmers already know that they should care about security, though - they just may not know where to start.

MS: Is knowing about CFQUERYPARAM enough?

DW: Many CF programmers know enough nowadays to prevent SQL injection attacks using CFQUERYPARAM, but that's just a small part of securing access to the database. In my experience, most people using SQL Server don't know how to secure it adequately.

MS: So even if the CF code is not secure SQL Server can protect your data?

DW: Not entirely, of course - the CF application needs to be able to access your data - but you can certainly limit your exposure by limiting how your application can interact with the database.

MS: So the application can't directly delete data for example?

DW: Well, many applications are supposed to be able to directly delete data! However, there's a lot you can do to limit what your application can do to only the minimum that it needs to do. For example, your application typically doesn't need to be able to modify the database schema. Within SQL Server, you can use users and roles to prevent your application from being able to read or write to tables it shouldn't touch - you can even effectively limit your application to only be able to call specific stored procedures.

MS: If my application can only call specific stored procedures how does it add, delete and update data?

DW: Sure, through stored procedures written to do so. The advantage here is that you can prevent someone from accessing the tables directly, or accessing them in uncontrolled ways.

MS: Is there any other advantage to this approach?

DW: There are a couple of noteworthy advantages. One obvious advantage is that you will generally get the same kind of performance boost as you would by using bind parameters through the CFQUERYPARAM tag. Another, less obvious but perhaps more important, is that you can separate your data access code from your application, and put it in the database, where it can be used by any future application that may share the same database.

MS: What about the database user authentication?

DW: There are several aspects of user authentication that a SQL Server user needs to know about. First, how does the database client - CF, in our case - authenticate against the database? Right now, CFMX uses an "untrusted connection." This is a simple username-password pair that is passed in something very close to plaintext to the database. Anyone with access to that network segment can read those values pretty easily, unless the connection itself is encrypted. The preferred way to connect to SQL Server generally is to use Windows authentication, which creates a "trusted connection." We'll take a look at the differences between the two, the advantages and disadvantages of each, and how to use a trusted connection from CFMX.

MS: That is neat. What about restricting access to certain tables?

DW: Once you've connected with some user account, which involves authentication, the database figures out what you're allowed to do, which involves authorization. We'll also cover how to restrict user accounts to the minimum privileges needed to get the job done. Unfortunately, more often than not, people just use the sa account from their database client, and that account can do just about anything.

MS: Is there anything else for account security?

DW: What user account does the database itself use? By default, SQL Server services run as "SYSTEM", which is the most privileged local security context. For the vast majority of operations, SQL Server can run as a user with far fewer privileges, which is a lot safer.

MS: Is there anyway to encrypt the data between CF and SQL Server?

DW: Yes, you can! We'll take a look at how you can do this using functionality within SQL Server and within the underlying operating system, and when it's worth doing in the first place.

MS: Wow it sounds like your talk will cover all the bases for security in SQL Server! See you at CFUN

| Home | Topics | Speakers | Directions | Spread the Word | Register |
© Copyright TeraTech Inc 2003
405 East Gude Drive Ste 207 Rockville MD 20850
301.424.3903  Fax 301.762.8185  www.teratech.com
Please send comments/questions to [email protected]
For sponsorships or registration, please send comments/questions to liz-cfun04 (at) teratech.com