analysis | Phil (aka MP3Monster)'s Blog

Tags

analysis, “Howard Durdle”, Experian, Security

A good friend of mine (Howard Durdle) is a security expert and CSO, he pointed out this really good Twitter trail breaking down the newly published report on the massive Experian data breach.

Alright, today is the day we get to find out if I was right or wrong about the level of dysfunction necessary for the failures that allowed the #Equifax breach to occur.

Why today? Because the House Oversight report has been released. Merry Christmas! https://t.co/bBsVfZdaHQ https://t.co/LLIW52fQ35

— Adrian Sanabria (@sawaba) December 11, 2018

https://twitter.com/sawaba/status/1072319618352627714

You don’t need to be a geek or a security expert to understand what is being said here, and more importantly reading between the lines as they say, the likely root causes. For me, this all points to cultural challenges, where organisational pressures or a lack of appreciation by mid level decision makers struggle to appreciate the need to invest in non functional factors such as security, patching and maintenance.

Sadly, Experian aren’t the first with this challenge, and won’t be the last. With DevSecOps etc the people building the software will understand the issue. But, I think we need to be working with educating the business stakeholders on the need for dealing with NFRs, and the need to prioritise certain types of issues.

Tags

analysis, app, code, MySQL, sql

With MySQL now capable of features such as stored procedures and functions the need for tooling to support SQL code quality is greater than ever. A number of tools provide editors with syntax support and all the fancy features you’d expect from a modern IDE (see Toad as a leading product).

However the means to assess the quality of the procedures or scripts written for MySQL or the divergence from ISO standards doesn’t exist, although plenty of options exist for T-SQL (MS SQL Server), PL/SQL (Oracle) and even some tooling for DB2 and Informix.

The value of the static analysis tool means you can implement quality measures, controls and reporting through Continuous Integration tooling such as Jenkins, Sonar etc. All of which is a little ironic when you consider a lot of energy in CI (and Continuous Delivery appears to come from the open source community) which usually supports MySQL as one of the 1st options for databases.

Does this mean there is a gap in the market? Such capabilities dont seem to be in the MySQL WorkBench roadmap. Would love to know what people think?

Of course if you can support MySQL, then the offshoots such as MariaDB wouldn’t be too difficult.