I was recently asked a question by someone who had attended my Shmoocon talk entitled "Why are Databases So Hard to Secure?". PDF slides are available (1.34 Mb). I was going to put this into a more formal structure, but the conversational nature works really well. I would love to see comments reflecting others' thoughts.I found several things of interest in your talk about database security and several new things to think about.In particular I realized that DBMSs have at least two hats in the world of software architecture namely as technical services ("smart file system") and as application framework. Perhaps that "depth" is one of the reasons why dbms is hard to secure? For example, considering just the question of who or what have user roles within a DBMS deployment. From the "deep" point of view, the "user" could be an application, or a module, or just the next layer up in the architecture stack. From the "shallow" point of view, the "user" should be an actual person whose UI actions are touching the database. I think someone in the audience was advocating that, and perhaps you were too, namely using the DBMS's permissions and roles system to authorize actual users. But that would be different from common (even careful) practice, wouldn't it?I meant to grab you and re-ask my question though, namely "is all this complexity caused by the inherent difficulty of securing DBMS, or is it the _cause_ of the difficulty"? So I'll re-ask now...Best regardsAnd my response: