Dailydave: Re: From blackbox to grey-box during Web App tests

["J.M. Seitz" <lists () bughunter ca>]

Ok well this is all interesting, but the real reason I believe is this: in a
classic development environment, most developers don't have any raw database
experience. Most DBA's are hired to ensure that there is a fully normalized
(ahem), clustered, failed over, etc. database system. Most developers hate
the DBA's and likewise :) In order to really write an application that
relies heavily on stored procs, you are really needing the experience of a
DBA with a developer who understands the system, this is rare in the real
world. Many times in my travels I have seen horrendous SQL code buried in
the main application to achieve the same functionality as an update trigger,
the only thing you can do is educate the dev and move on, there are bigger
battles to fight in a QA/sec position.
 
Now much like the pull between deployment and development in any team, the
pull between app-dev and DBA is going to be the same (in fact most DBA's are
part of the deployment team) . I don't think that stored procs aren't
portable, each database system generally supports a middle-language to
support cross-database development. The key is to find the right expertise
to have baked cross-platform in to begin with, while they are at it [restore
snarky bit] maybe they should start creating architectually secure
applications before the end of their scoping meetings as well :)
 
JS 
 
[clear snarky bit] 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave