This site is dedicated to those who are serious about security - specifically, Microsoft SQL Server security. Whatever your feelings about Microsoft, the bottom line is that these servers are showing up everywhere and its time we learned how to properly secure them. At this site we do just that. We find problems, post solutions, and get the word out. If anyone tells you that security ends with the OS, they are dead wrong. Many times excellent network and host-based security has been bypassed exposing the very heart of the enterprise: all because of poor SQL Server configuration.   

"There is no 'patch' for stupidity."

Recent Blog Entries

  • SQL Server coming to Linux
    I wasn't sure if this was an early April's Fools joke but it appears to be legit.  Obviously with a new release we should be on the lookout for security vulnerabilities but if you'd got the time then get the preview and start looking!
    Posted Mar 9, 2016, 9:39 AM by Chip Andrews
  • Time to come clean
    My name is Chip Andrews and I've got a confession to make.  I need to finally admit that I've left Windows behind which means that SQL Server is no longer my primary research target from a security perspective.  I've been running Linux for a few years and Windows only virtually and rarely.  Lately, rarely has become "not at all".   Because of that, my SQL Server security research activities have come to a halt. This honestly happened a long time ago.  That said - I will keep this site up for reference purposes especially since it costs me nothing to do so.  See you guys on Slashdot and you can also follow me at @chipandrews.  As a tribute to the person who inspired me to start this site (Rain Forest Puppy) I hereby declare myself "re-factored".  Given my domain name I still feel that MySQL, PostgreSQL, and a multitude of others are ripe for research so you may hear from me again... 
    Posted Feb 11, 2016, 2:05 PM by Chip Andrews
  • A Sleeper Awakens
    OK - I admit I've been neglecting posting for a little while but I'm back.  Of course - much of the focus of security these days is in the application space but SQL injection remains a large part of that.  My focus will shift more to this area going forward.
    Posted Mar 12, 2015, 9:05 AM by Chip Andrews
  • Version 1.3 of sqlver released
    Thanks to Frank Brown for releasing his additions to the sqlver tool.   Frank has added SQL 2012 detection as well as a new registry GetEdition()  lookup (single instances only for now).  Check it out in the Downloads area.
    Posted Oct 15, 2013, 5:48 AM by Chip Andrews
Showing posts 1 - 4 of 16. View more »

In The News