Chip's Blog

SQL Server coming to Linux

posted Mar 9, 2016, 9:39 AM by Chip Andrews

I wasn't sure if this was an early April's Fools joke but it appears to be legit.  Obviously with a new release we should be on the lookout for security vulnerabilities but if you'd got the time then get the preview and start looking!

Time to come clean

posted Feb 11, 2016, 2:02 PM by Chip Andrews   [ updated Feb 11, 2016, 2:05 PM ]

My name is Chip Andrews and I've got a confession to make.  I need to finally admit that I've left Windows behind which means that SQL Server is no longer my primary research target from a security perspective.  I've been running Linux for a few years and Windows only virtually and rarely.  Lately, rarely has become "not at all".   Because of that, my SQL Server security research activities have come to a halt. This honestly happened a long time ago.  That said - I will keep this site up for reference purposes especially since it costs me nothing to do so.  See you guys on Slashdot and you can also follow me at @chipandrews.  As a tribute to the person who inspired me to start this site (Rain Forest Puppy) I hereby declare myself "re-factored".  Given my domain name I still feel that MySQL, PostgreSQL, and a multitude of others are ripe for research so you may hear from me again... 

A Sleeper Awakens

posted Mar 12, 2015, 9:04 AM by Chip Andrews   [ updated Mar 12, 2015, 9:05 AM ]

OK - I admit I've been neglecting posting for a little while but I'm back.  Of course - much of the focus of security these days is in the application space but SQL injection remains a large part of that.  My focus will shift more to this area going forward.

Version 1.3 of sqlver released

posted Oct 15, 2013, 5:47 AM by Chip Andrews   [ updated Oct 15, 2013, 5:48 AM ]

Thanks to Frank Brown for releasing his additions to the sqlver tool.   Frank has added SQL 2012 detection as well as a new registry GetEdition()  lookup (single instances only for now).  Check it out in the Downloads area.

Mobile SQL Server Management

posted Jul 20, 2013, 6:03 PM by Chip Andrews   [ updated Jul 20, 2013, 6:03 PM ]

I've been using the Solarwinds Mobile Admin Client (and server) now for several months and I have to say it is very powerful for managing SQL Server (among other things) while on the run.  It works by installing a server component on your network and then enabling SSL so you can connect from your mobile app.  While the connection to the Mobile Admin server can be encrypted - there is no requirement for doing so be sure to set your config properly.

Another patch tool

posted Mar 24, 2013, 8:05 AM by Chip Andrews

While not open source, if you need a simple tool to patch third-party applications on a Windows machine you may want to check out  They've done a good job of automatic a process that should have been automated a long time ago.  What is needed now is to have a similar application delivered as a system service that runs on all computers in a domain.  Microsoft Systems Center Configuration Manager is close but who has time to constantly create new deployment packages?  The folks at patchmypc have the right idea.  They maintain the package database - you just choose which applications you want to patch.

Reviewing a New Book on SQL Security

posted Oct 24, 2012, 5:55 PM by Chip Andrews   [ updated Nov 17, 2012, 5:30 AM ]

I am in the process of reviewing a copy of "Microsoft SQL Server 2012 Security Cookbook" from PackT publishing.  I will be sure to post my review when completed but in the meantime if anyone is interested in an eBook version the publisher is offering 5 to anyone who posts a response to this blog entry with a reason "why you would like to get the book".  Hey - free stuff - why not?  Only the "Top 5" comments will win and those will be the only ones given to the publisher for prize distribution.  I will leave this open for comments until 11/15/12. UPDATE: I've closed the contest and sent the top 5 reasons to the publishers.  The winners should receive their free copies at any time.

SQL Server in Memory Only?

posted Jun 28, 2012, 6:35 AM by Chip Andrews

Microsoft is making moves towards an in-memory database.  While the security implications of this may be unknown - it's not too early to starting thinking about it.

SQL Server 2012 Released

posted Apr 15, 2012, 5:38 AM by Chip Andrews

I've already created a SQL Server 2012 section to the version database for the release candidates but this is still an important milestone since now SQL Server 2012 will begin to show in production environments.  We'll keep our ears to the ground for any new vulnerabilities!

Direct Link to SQL Server Release Blog

posted Feb 13, 2012, 8:04 PM by Chip Andrews

While Ken and I do our best to keep up with the SQL Server builds, occasionally we fall behind.  If you want a listing of the major releases (I don't see hotfixes here but certainly service packs and cumulative updates) see this site to double-check our index:

1-10 of 16