snippetsqlModerate
How can I secure my database code?
Viewed 0 times
cansecuredatabasehowcode
Problem
We have a lot of proprietary database code that is simply encrypted using the "WITH ENCRYPTION" option. Unfortunately, this is a very weak method of securing database code.
Is there any better way to secure the database code?
We're currently on SQL Server 2005, if that helps, but we're in the process of migrating to SQL Server 2008 R2.
Is there any better way to secure the database code?
We're currently on SQL Server 2005, if that helps, but we're in the process of migrating to SQL Server 2008 R2.
Solution
There isn't much you'll be able to do to prevent people from getting access to your code.
If it's encrypted WITH ENCRYPTION it can be decrypted pretty quickly.
If you use CLR procedures the T/SQL statements that are executed against the SQL Server can be captured via SQL Profiler very easily. Not to mention many shops don't like SQL CLR and wouldn't bring your app in shop.
If you encrypt the procedures via third party code it can still be decrypted pretty easily (if SQL can decrypt the procedures so that it can run them, odds are a user will be able to decrypt it).
Your code should be protected through contracts and NDAs.
Personally when I see an app with encrypted procedures about the first thing I'm going to do is force them to decrypt them. If they won't, I'll do it myself. Most databases out there which come from venders aren't tuned very well, and if I'm going to be tuning the database I'm going to need access to the code.
If it's encrypted WITH ENCRYPTION it can be decrypted pretty quickly.
If you use CLR procedures the T/SQL statements that are executed against the SQL Server can be captured via SQL Profiler very easily. Not to mention many shops don't like SQL CLR and wouldn't bring your app in shop.
If you encrypt the procedures via third party code it can still be decrypted pretty easily (if SQL can decrypt the procedures so that it can run them, odds are a user will be able to decrypt it).
Your code should be protected through contracts and NDAs.
Personally when I see an app with encrypted procedures about the first thing I'm going to do is force them to decrypt them. If they won't, I'll do it myself. Most databases out there which come from venders aren't tuned very well, and if I'm going to be tuning the database I'm going to need access to the code.
Context
StackExchange Database Administrators Q#4700, answer score: 10
Revisions (0)
No revisions yet.