I've posted several times about Oracle and its effort to produce a more secure database product. Today I received a couple of emails on this very topic. First is this one: http://www.databasesecurity.com/dbsec/comparison.pdf. There are two points from the paper that I particularly like:
Do Oracle's results look so bad because it runs on multiple platforms?
No – pretty much most of the issues are cross-platform. In the 10gR2 graph every flaw
affects every platform.
Do the SQL Server 2005 results have no flaws because no-one is looking at it?
No – I know of a number of good researchers are looking at it – SQL Server code is just
more secure than Oracle code.
Having lived through over a year and a half of development on SQL Server 2005 I can tell you first hand that we take building secure software very seriously. It's baked into our development process. It wasn't easy and it required a lot of leg work. It's very nice to see the fruits of our labor paying off for our customers.
The second email was this: http://www.argeniss.com/woodb.html
Based on the great idea of H D Moore "Month of Browser Bugs" and LMH "Month of Kernel Bugs", we are proud to announce that we are starting on December the "Week of Oracle Database Bugs" (WoODB). What is the WoODB about? An Oracle Database 0day will be released every day for a week on December. Why are you doing this? We want to show the current state of Oracle software ("in")security also we want to demostrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.). Why are you targeting only Oracle? We have 0days for all Database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security. Why not the Month of Oracle Database Bugs?We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
The bottom line here is that Oracle has stub its nose at a number of security experts. These experts have simply wanted Oracle to build more secure software and to fix security holes in a timely manner. Now the gloves are coming off – rightly so IMHO.
I have to again ask the question: why is any DBA or IT Pro worth their salt putting any sensitive data on Oracle?