Which Database is More Secure? Oracle vs Microsoft
I was quite surprised when a number of folks criticized the data used in the report titled "Microsoft SQL Server Runs the Security Table" from ESG - it was just CVE data!
Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle.
David is no slouch, he has found security bugs in both SQL Server and Oracle. But, I'll let you draw your own conclusions.
Comments
Anonymous
November 20, 2006
Натолкнулся сегодня утром на блог Michael Howard ( http://blogs.msdn.com/michael_howard/archive/2006/11/20/which-database-is-more-secure-oracle-vs-microsoft.aspxAnonymous
November 20, 2006
Interesting report, makes a nice clear case, and it's good to see all the details on the methodology that was used I think that the one of the problems with using just CVE data for this kind of work as that first study seems to have, is that it doesn't really lend itself to searching for all vulnerabilities for a given product ... from their FAQ "B6. Can I search CVE by operating system? The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete." (yeah I know that this isn't by operating system, but I think that the principle remains :O)Anonymous
November 30, 2006
Litchfield used to be a big critic of MSFT - until they hired him. Is this yet another case of MSFT buying off someone to shut them up.Anonymous
November 30, 2006
Mr Rock. >>Litchfield used to be a big critic of MSFT So you know what? We listened, and we did something. The figures speak for themselves, the SQL team has done a tremendous job.Anonymous
December 04, 2006
[snip] Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle's 10g database at the bottom. [snip] (http://www.vnunet.com/vnunet/news/2169225/microsoft-beats-oracle-security) So Microsoft or Postgres? I think now it comes to performance, but... wait a second: [snip] d. Benchmark Testing. You may not disclose the results of any benchmark test of either the Server Software or Client Software to any third party without Microsoft's prior written approval. [snip] (Microsoft SQL Server 2000 EULA) Okay, so price decides, am I not right? Anyways, according to "just CVE data", Microsoft SQL Server was affected by 57 issues compared to Postgres' 40 since 1999. Any comments on this, Michael?Anonymous
December 05, 2006
>>Any comments on this, Michael? you bet - it all comes down to "does the database do what you want" - I cannot asnwer that for Postgres, I've never used it! And I know of no customer using it either. Of course, I'm not saying no-one uses it, but I have yet to meet anyone that uses it. I know lots of people running SQL Server, DB2, MySQL, and Oracle, however.Anonymous
December 05, 2006
what about ms acces?Anonymous
June 09, 2007
Does Microsoft have a set of guardian angels? Think of all the killer threats they've seen over the years.Threats...Anonymous
June 09, 2007
Does Microsoft have a set of guardian angels? Think of all the killer threats they've seen over the years.