I wasn't sure if this was an early April's Fools joke but it appears to be legit. Obviously with a new release we should be on the lookout for security vulnerabilities but if you'd got the time then get the preview and start looking! https://www.microsoft.com/en-us/server-cloud/sql-server-on-linux.aspx
My name is Chip Andrews and I've got a confession to make. I need to finally admit that I've left Windows behind which means that SQL Server is no longer my primary research target from a security perspective. I've been running Linux for a few years and Windows only virtually and rarely. Lately, rarely has become "not at all". Because of that, my SQL Server security research activities have come to a halt. This honestly happened a long time ago. That said - I will keep this site up for reference purposes especially since it costs me nothing to do so. See you guys on Slashdot and you can also follow me at @chipandrews. As a tribute to the person who inspired me to start this site (Rain Forest Puppy) I hereby declare myself "re-factored". Given my domain name I still feel that MySQL, PostgreSQL, and a multitude of others are ripe for research so you may hear from me again...
OK - I admit I've been neglecting posting for a little while but I'm back. Of course - much of the focus of security these days is in the application space but SQL injection remains a large part of that. My focus will shift more to this area going forward.
Thanks to Frank Brown for releasing his additions to the sqlver tool. Frank has added SQL 2012 detection as well as a new registry GetEdition() lookup (single instances only for now). Check it out in the Downloads area.
I've been using the Solarwinds Mobile Admin Client (and server) now for several months and I have to say it is very powerful for managing SQL Server (among other things) while on the run. It works by installing a server component on your network and then enabling SSL so you can connect from your mobile app. While the connection to the Mobile Admin server can be encrypted - there is no requirement for doing so be sure to set your config properly.
While not open source, if you need a simple tool to patch third-party applications on a Windows machine you may want to check out www.patchmypc.com. They've done a good job of automatic a process that should have been automated a long time ago. What is needed now is to have a similar application delivered as a system service that runs on all computers in a domain. Microsoft Systems Center Configuration Manager is close but who has time to constantly create new deployment packages? The folks at patchmypc have the right idea. They maintain the package database - you just choose which applications you want to patch.
I am in the process of reviewing a copy of "Microsoft SQL Server 2012 Security Cookbook" from PackT publishing. I will be sure to post my review when completed but in the meantime if anyone is interested in an eBook version the publisher is offering 5 to anyone who posts a response to this blog entry with a reason "why you would like to get the book". Hey - free stuff - why not? Only the "Top 5" comments will win and those will be the only ones given to the publisher for prize distribution. I will leave this open for comments until 11/15/12. UPDATE: I've closed the contest and sent the top 5 reasons to the publishers. The winners should receive their free copies at any time.
Microsoft is making moves towards an in-memory database. While the security implications of this may be unknown - it's not too early to starting thinking about it. http://blogs.technet.com/b/dataplatforminsider/archive/2012/04/09/the-coming-in-memory-database-tipping-point.aspx
I've already created a SQL Server 2012 section to the version database for the release candidates but this is still an important milestone since now SQL Server 2012 will begin to show in production environments. We'll keep our ears to the ground for any new vulnerabilities! http://www.microsoft.com/sqlserver/en/us/default.aspx
While Ken and I do our best to keep up with the SQL Server builds, occasionally we fall behind. If you want a listing of the major releases (I don't see hotfixes here but certainly service packs and cumulative updates) see this site to double-check our index: http://blogs.msdn.com/b/sqlreleaseservices/
1-10 of 16