Jul 2009 ~ SQL Injection Attack – Defense ~ Andrew Novick


Presenter: Andrew Novick of Novick Software
Topic: Defending SQL Server from SQL Injection Attacks


SQL Injection attacks have emerged as the application security issue that creates the most data loss and web site defacement incidents passing cross-site scripting.

Defending SQL Server from SQL injectioncontinues to be a problem for many applications. This presentation will discuss the ways that SQL Server developers and DBA can harden their applications and servers.

The methods demonstrated include:

  • Protecting Dynamic SQL statements when they can’t be eliminated
  • Security configuration to minimize the vulnerable surface area
  • Using DML triggers to thwart many common attacks
  • Managing stored procedure privilege with the EXECUTE AS clause
  • Using DDL triggers to minimize vulnerabilities
  • Ineffectiveness of database and column encryption as defenses

The SQL Server is one of the most vulnerable components of an application and one of the most frequently attacked. Come hear about the techniques you can use to protect it from SQL injection attacks.


Novick Software is the New England based consulting company of Andrew Novick. Over the last 24 years I’ve been managing projects, consulting, writing, teaching, and
programming to create software applications for both operations and analysis. The most important thing that I can do for my clients is to understand what drives their business. Only by understanding their problem
or what they’re trying to achieve can an effective solution be found.

This entry was posted in Meetings and tagged , , , . Bookmark the permalink.

Comments are closed.