What I really want to know is this: Where are the Database Admins (DBAs) these days?

I cant tell you how many times in the past 18 months that I’ve found real enterprises running vulnerable databases with default passwords, weak passwords and no real permissions management.

It’s bad enough that the stats right now are this (so I guess I can tell you):

• 9 out of 10 organizations have a Microsoft SQL Database with a blank “sa” password (or an sa password of “sa”, “sql” or “password”)
• 9 out of 10 organizations have a Postgres Database with a default password
• 9 out of 10 organizations have a Sybase Database with a default password
• Several default Microsoft SQL Server 2000 Installations–do you remember SQL Slammer/Saphire??? Yup…still out there
• Oracle Listener services not requiring authentication–this means anyone with network access can shutdown the DB server
• Common practice of NOT patching a DB server, or deploying anti-virus…for Microsoft SQL Servers, exploit an unpatched Windows vuln and “poof”–get a terminal services session and you’ve got full control of the database (or fall prey to Slammer 7 years after the fact)
• No defined DBA position–application developers or system admins are the DB admins…no wonder why I see this so often
• Storing passwords unencrypted–I’ve seen this in MAJOR software vendors’ DB implementations

This is just the short list, but with all of the other ways to get access to a database through the applications connected to it, why has the industry at large neglected the baseline security parameters of database administration? Is being a DBA just not sexy enough these days? Is there a shortage of qualified DBAs? Can most organizations even afford a good DBA?

Forget the whole database optimization/normalization value of employing a DBA, but the security implications of leaving DBA tasks in the hands of developers and engineers is massive.

Am I the only one seeing this, or can you relate?

As a PHP coder myself, I know that it can be difficult for new programmers to build secure code. Aside from the Apache server config and the PHP config directives, writing secure code in PHP often is an afterthought — and it’s really easy to write insecure code with PHP.

Where many of the difficulties lay are in the use of Database connectivity, flashy AJAX and powerful Javascript to make a highly functional, good looking site. When coding these applications, many developers will pull pieces of code from other sites and integrate them into their own, often times not aware of input validation flaws, overflows and use of insecure PHP functions.

Where PHP often fails as a language is that it’s just that–a language. In and of itself, there are no input validation classes, no XSS or SQL Injection class to use, and no re-usable security mechanisms that can be used out of the gate.

In searching for frameworks that can be utilized by programmers to assist them in writing more secure PHP code, I ran across CakePHP. CakePHP is a PHP Framework that allows for the rapid coding of new applications using a Model, View, Controller (MVC) architecture. Aside from enabling the rapid development of new data-driven applications, CakePHP has some really good input validation classes that are extremely simple to use.

One of the main drawbacks with coding your own input validation with PHP is that many programmers aren’t familiar enough with regular expression syntax matching to make effective input validation routines–CakePHP simplifies this with pre-built functions for CC validation, SSNs, email addresses, password complexity and more.

Aside from its input validation classes, CakePHP allows developers to easily generate AJAX-enabled views, RSS feeds, XML and more without heavy modification of code or 3rd party downloaded scripts. Having been running through CakePHP for the past few weeks, I’m really impressed. I was really dumbfounded when I realized that CakePHP has been around for a really long time, has a corporate-sponsored team of developers and a very large base of programmers using it.

Any organization that utilizes PHP for writing public-facing web applications should look into (and require) a PHP development framework like CakePHP to ensure consistency and provide a baseline for common security features.