I have been doing a fair amount of development in VC++, Java, and .NET 2.0 lately for one large project that is finally winding down after almost a year's worth of work. This past week, I put the new SQL Server 2005 JDBC driver (RTM on January 20th) through its paces against a SQL Server 2000 database (the driver is works with both 2000 and 2005). I had been using the previous SQL Server 2000 JDBC SP3 driver. The main difference is the old driver was licensed and the new driver was written from scratch to support the new features of SQL Server 2005.
On this particular project, I am still using SQL Server 2000 (though, I also do quite a bit of SQL Server 2005 testing and development as well). After installing and using the driver (there are a couple of changes needed such as the position of "sqlserver" in the namespace calling methods), I immediately saw a dramatic positive difference in performance. I also found the new driver to be less forgiving of badly written code (which I like!). I had written some new stored procedures and related Java code that were running along side previously written in-line SQL that didn't take into consideration correct transactional handling (this project has been mostly about updating legacy code rather than writing code from scratch). I found the combination of techniques was quickly causing a major block in SQL Server. I thought perhaps it was the introduction of the new driver, but the old driver produced the same results, just not as quickly or as noticiable. I updated all SQL calls to use consistent transactional methods (as well as, in this case, stored procedures -- not really a factor, but I prefer that), and my blocking problem was solved.
All in all, I am very pleased with the new driver and recommend it to others if you are doing any Java + SQL Server 2000/2005 development. One caveat is new driver had to drop integrated authentication for the final release (it was present in most of the Betas). There were too many issues to consider before rushing it into production -- but I know several developers who were waiting for the release were really expecting this feature in particular. The Microsoft JDBC team are currently promising to release it at the same time as the SQL Server 2005 SP1 later this Spring.
Thom Robbins has posted information on his blog about an upcoming Security Mini-ode Camp in New England featuring fellow Security Developer MVPs Patrick Hynds and Duane LaFlotte. It will be held on Saturday, March 25, 2006 8:30 AM - 5:00 PM. You can register here.
Here is a brief description:
You know the drill- don't code buffer overflows, watch the SQL Injection, use a firewall, do the threat thingy, but you know there is more. You know that security is a war and you can't win by following a few rules. You have to wage war in the same take no prisoners style that the hackers use. Come to the Mini Code Camp Security Edition where Duane Laflotte and Patrick Hynds (the original Geeks in Black) will show you what the enemy is doing as well as how to secure your position. Security is a war, don’t fight fair!
As always, the Code Camp Series represents the best technical content of the local developer community. The Code Camp is free and guaranteed to be the most fun that you can have in any day camp. This is an exclusive mini-session that is not to be missed!
08:30 – 9:00 AM Registration
09:00 – 05:00 PM – Event
Microsoft released a new whitepaper from the Microsoft Solutions for Security and Compliance group (MSSC) on "Applying the Principle of Least Privilege to User Accounts on Windows XP". You can download it here or read it online here.
I was privileged to be one of several reviewers of the paper a couple of months ago. It is definitely a much needed addition to the non-Administrator/Limited User Access (LUA) literature. Please take a moment and review for an understanding how to run with least privilege in a Windows XP environment.
Congratulations to all new and returning MVPs!
I have been awarded again (2nd year) as a Microsoft Security Developer MVP for 2006. It has been a great year in 2005, and I look forward to another great year in 2006 with many more community opportunities. Thanks Microsoft for the recognition! It is also an honor to again be in great company with the other Security Developer MVPs (and the 1000s of MVPs around the world).
I hope and wish everyone a very Happy and Prosperous New Year 2006!
I am finally catching up on some blog reading this weekend and found a couple of very useful links for the new year:
1. New and Improved Security in the .NET Framework 2.0 by Rudolph Araujo and Shanit Gupta (found via Shawn Farkas)
2. Checklist: How to test SQL Server security by Kevin Beaver (found via Chip Andrews)
Happy reading!