Press "Enter" to skip to content

Category: Security

Secrets Management in Kubernetes

Anshika Varshney takes us through some secrets management:

Secret management is a critical part of working with Kubernetes. When working with Kubernetes, you’ll often need to store and use sensitive information — like database passwords, API keys, and certificates. That’s where Kubernetes Secrets come in. But here’s the thing: while Kubernetes provides a way to store secrets, using them incorrectly can still expose your sensitive data.

This blog will walk you through:

  • What Kubernetes Secrets are
  • How they work
  • Common mistakes (the wrong way)
  • Best practices (the right way)
  • Real-life examples and configurations

Read on for the full article. I do want to iterate what I consider the most important of Anshika’s points: these things should never go into source control. The problem is, source control history is a lot more permanent than people customarily think about, so if you accidentally checked in a password in a config file somewhere, then got rid of the line with the password in it, a bad person with access to your source control can still look at history and find that password. The mechanism to rewrite Git history to remove a line’s existence is purposefully difficult, so a lot of developers don’t even know that it’s possible. But even then, if you’re hosting on someplace like GitHub and forks are enabled, rewriting history in your fork doesn’t rewrite it in somebody else’s fork, so again, a bad person with a fork from the right time frame could still see your exposed password.

The only fix is to cycle credentials if you ever do accidentally expose a password or key in source control files.

Leave a Comment

Microsoft Fabric Service Principal API Settings

Nicky van Vroenhoven has a public service announcement:

Microsoft Fabric is changing how service principal access to public APIs is controlled. The existing all-or-nothing tenant setting was split into two separate settings — giving us admins more granular control, but also introducing a change you might need to act on after August 1, 2025.

Click through to see how you might have been able to learn this, as well as the consequences of this change.

Leave a Comment

Finding Necessary Permissions for DMVs

Randolph West has a script for us:

Part of my job at work is to update Transact-SQL reference content. System dynamic management views (DMVs) have permissions that are managed in the SQL Server Database Engine source code, so it’s a little tricky to figure out the required permissions for a specific DMV.

This blog post provides a stored procedure that uses sys.fn_builtin_permissions to calculate permissions, but keep in mind that any custom permissions that you’ve implemented, can override the defaults.

This can serve as a quick check for whether your user account has the necessary permissions to access DMVs in a particular database.

Leave a Comment

Auditing Specific Data Access in SQL Server

Andreas Wolter wants to focus in on specific database objects:

In this article I want to share a targeted approach to audit access to specific objects within a database in Microsoft SQL Server.

  • In my last article, Evading Data Access Auditing in Microsoft SQL Server – and how to close the gaps, I showed multiple approaches to gain access to a chunk of sensitive data using the statistics object in SQL Server. The hardest one to capture is access to data that is exposed via the dynamic management function (DMF) dm_db_stats_histogram. This requires an additional Audit Specification in the master database for this system object. In the end we required 3 different Audit Action Groups to cover all the methods used to read data from our example table.

Read on to see what you can do as of SQL Server 2022.

Leave a Comment

Auditing in Oracle

David Fitzjarrell digs into the options available for security audits in Oracle:

Security rears its ugly head yet again, this time with security audits. Depending upon the RDBMS auditing can be a breeze or a nightmare. Oracle has done wonders in making this task simpler for the DBA to enable, configure and maintain. Let’s take a dive into this topic and shed some light on it.

By default when Oracle is installed the newest foray into auditing, the Unified Audit Trail, is disabled. In releases prior to 12 basic auditing was automatically available, but it wrote to possibly three locations:

Read on for those three locations, how things have changed with Unified Audit Trail, and some of the information you can get back from it.

Leave a Comment

Securing PostgreSQL Containers

Mercy Bassey grabs a certificate:

Running Postgres in Docker is great for a quick test but what if you want it to behave like a proper, production-style setup with SSL encryption, certificate-based authentication, persistent volumes, and custom configurations? In this article, we’ll find out how, tackling the various tasks involved such as:

  • Generating and using self-signed SSL certificates with Postgres.
  • Setting up a PostgreSQL Docker container that uses those certs for encrypted client connections.
  • Configuring authentication for both automated services and human users.
  • Controling the behavior of your Postgres instance using mounted config files.

Read on to see how.

Leave a Comment

A Primer on TMDL Security Risks in Power BI

John Kerski gives us the low-down:

The Tabular Model Definition Language (TMDL) provides a simpler way of defining Power BI Semantic Models. Unlike the JSON-based Tabular Model Scripting Language (TMSL), TMDL uses a more accessible tab-based format for specifying DAX measures, relationships, and Power Query code.

Click through for the various ways things could go wrong, as well as how to mitigate those risks.

Mind you, “security risks” is a very broad concept and is not an indictment of the product, but rather something to keep in mind as you attempt to write secure code. For example, did you know that bad guys could potentially access all of your data in your database by using a series of SELECT statements?

Leave a Comment

Customer-Managed Keys in Microsoft Fabric Workspaces

Sumiran Tandon makes an announcement:

We’re excited to share that customer-managed keys (CMK) for Microsoft Fabric workspaces are now available in public preview in all public regions! This expansion makes it easier for customers worldwide to meet compliance requirements and implement robust data protection strategies.

Note: This feature was released in public preview in a limited set of regions earlier this year and here’s the step-by-step guide for setup.

I personally tend not to be a stickler about customer-managed versus Microsoft-managed keys, as your data is encrypted either way. That said, I know that there are environments in which this matters a lot.

Leave a Comment

No More TLS 1.1 in Microsoft Fabric

Nisha Sridhar makes an announcement:

We have officially ended the support for TLS 1.1 and earlier on the Fabric platform. As previously announced, starting July 31, 2025, all outbound connections from Fabric to customer data sources must use TLS 1.2 or later.

This update follows our earlier announcement in the TLS Deprecation for Fabric blog, where we outlined the rationale and timeline for this transition.

Read on to see what you might need to do to keep up to date.

Comments closed

The CU+GDR Path in SQL Server’s Service Model

Jon Russell clarifies the situation:

SQL Server administrators often encounter Microsoft updates labeled as “CU + GDR”, and understandably, this can cause confusion — especially when trying to stay on a consistent CU-based servicing path. This post clarifies what “CU + GDR” really means and why it’s not something to worry about.

Read on for an overview of the different security models, as well as the odd duck in SQL Server 2016.

Comments closed