Sean McCown has a fantastic blog post on how xp_cmdshell is safe by default and turning it on is not a security risk. I’ve seen auditors freak out when they see this on and have seen DBAs obstinately refuse to use any solution which requires shelling out. This is the wrong attitude to take, as McCown points out. The xp_cmdshell command is secure by default (requiring sysadmin access to run). Instead of freaking out about this, DBAs and managers should spend more time ensuring that service accounts follow the principle of least privilege, that the number of people with sysadmin be minimized, that the SQL Server servers are correctly network segmented, and all those other things which actually improve security posture.