Every post I've read so far makes the critical error of assuming that an application can be perfected, and that when it is perfected, it cannot participate in a SQL injection attack. That's really poor analysis.

It is common for SQL to be synthesized within plpgsql/PL/whatever (database extension language) functions the same as it is in PHP or Java, and the result can be an SQL injection vulnerability. No proxy will protect from that. You must sanitize inputs on database functions that synthesize SQL, just the same as application functions that synthesize SQL or prepare statements.

In other words, a partial solution is not a solution.

I don't watch videos. Transcript?

Incoming!

-----

Title: David Maman, Co-Founder and CTO of GreenSQL, Talks About Database Security
Description: GreenSQL creates and maintains both proprietary and open source database security software

[00:00] <TITLE>
"GreenSQL is a Database Security Solution..." appears above the SlashdotTV logo bar with "David Maman - Co-Founder & CTO, GreenSQL" in the bottom of the view of a still shot from the interview, showing David Maman over a dark background.

[00:02] David>
My name is David Maman, I'm CTO and founded of GreenSQL.
GreenSQL is a company which provides a solution for database security as well as performance and compliance, eventually.
GreenSQL started as an Open Source project, actually.
In 2006, me and a friend started a very, very nice and easy-going Open Source project, and the Open Source project up 'til today is the only solution available for MySQL database - to secure it.
When I'm saying "securing it", it's not just about hardening password, but it's truly identifying threads in queries running to the database, and detecting it.
Even though it was a very simple solution that we have invested only a few hours in, each one of us, in our free time, the first 3 years we had more than 100,000 downloads of the Open Source project.
The Open Source project was so common that we started receiving a lot of feature requests and a lot of support requests for actually huge organizations - that we were surprised as well.
As time passed we've seen that there is an unmet need in the market; not only that enterprise companies - and I'm talking about high-end telecom and enterprise companies got great solution that they can buy, like Imperva acquired by IBM, and like Secerno which Oracle have purchased 2 years ago, and so on, and so on - but medium and even large organization that can not afford $200k for a basic solution, don't have any solution in the market.
We raised capital, and we started a company and we developed from scratch a new solution, and we call it unified database security.
It's a software-based solution that provides you database security, database auditing, database performance and database masking in one extremely easy to manage, to install, and to troubleshoot software-based solution.
We started sales less than a year ago, and we are going high and up 'til today we got more than 2,000 downloads per month.
The solution is very easy to use, so because we have started from Open Source - and even though it's a completely different solution, that's got nothing to do with the Open Source - we are maintaining the Open Source, but not in a high level.
Even though it's a very easy and simple to use solution, we have decided to also give a free version, so you get the security for free.
You can pay only for additional features like auditing, like masking, like performance and so on, and so on.
So we get more than 2,000 new installations per month at customer premises, and we support, currently, MySQL, Microsoft SQL, PostgreS, and very soon Oracle as well.

[02:54] David>
As a developer, you never take into consideration the entire life cycle of your information, the information itself that is eventually stored inside databases - and it doesn't matter which type of application you develop, and which platform you use, eventually the information is stored inside a database.
Even though you can clear it as "it's okay, and my database is secured", but when unauthorized access is being accessed to your database, unauthorized users, unauthorized application, all the big noise surrounding SQL injection attacks for example, how you can defend from SQL injections.
So naturally, the good developers will say that "I don't need that! I know how to write a secure code!" - and I'm sure most of the people do know how to write secure code.
The problem is that you use a lot of legacy applications and a lot of legacy code, that you