Interview: Microsoft's Mangione talks about security, scalability and other features in the next version of his database.
With Microsoft Corp. coming off a major security push and moving headlong into its next major SQL Server release, code-named Yukon, eWEEK Senior Writer Matt Hicks recently sat down with the companys SQL Server Vice President Gordon Mangione at Microsofts Redmond, Wash., offices. Mangione offered both a birds eye view of what to expect in Yukon, due in 2003, and a deeper look at a revamped security push for SQL Server.
: Microsoft is supposed to release a beta version this year of Yukon. Where does that stand?
: Yukon is a big release. I mean theres no ifs, ands or buts about it. The teams rolled off our whole security initiativefor SQL Server 2000 and Yukon. Well be coding for most of this year, and youll see us into beta early next year
: So not this year?
: No, no
the security stuff was interesting. The reality is we looked at what happened last fall, and we as a company had to do something different. What we were doing [with] knee-jerk reactions wasnt going to work. I worked for Brian Valentine [senior vice president of Microsofts Windows Division] for four years, and hes very much, "were going to go change the way were doing things." And he literally wrote an internal mail, and then Bill [Gates] backed him up with the Trustworthy Computing [initiative] within a week that said, look, were going to take everyone off writing new code and youre going to dive in and were going to code review every single line of code. Were going to redo our processes. Were gong to take those tools that we always talked about using in research to help us design better code, and were going to make them part of the standard process.
So we were kind of fortunate in SQL [Server] that we were able to build upon the work that really got started in the operating system, but the reality is that from start to finish it was three months. Every develop, every tester, every program manager
we literally code-reviewed every single line of code, we rewrote entire test plans, we built security threat analysis and really looked hard at everything we do inside the product
It was three months of absolute dedicated time on it and that did impact the Yukon schedule. It was frankly an easy decision to make. But really whats happened more than anything is weve looked at our processes from end to end and made sure that this just has to be part of what we doevery code review, every build.
: When it came to SQL Server and security, has it made any significant changes in how youre architecting the product?
: That exact question got asked of Windows. Had we done something architecturally flawed?
We found out there wasnt anything architecturally flawed in what we did. Things that seem like small things, like buffer overruns when you combine them with other things can be used as launch points to go and execute code off of a stack or execute code internally. Its mostly little small things