Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
Which Database is More Secure? Oracle vs Microsoft

I was quite surprised when a number of folks criticized the data used in the report titled "Microsoft SQL Server Runs the Security Table" from ESG - it was just CVE data!

Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle.

David is no slouch, he has found security bugs in both SQL Server and Oracle. But, I'll let you draw your own conclusions.

Posted: Monday, November 20, 2006 11:33 PM by michael_HOWARD
Filed under:

Comments

Константин Косинский said:

Натолкнулся сегодня утром на блог Michael Howard ( http://blogs.msdn.com/michael_howard/archive/2006/11/20/which-database-is-more-secure-oracle-vs-microsoft.aspx

# November 21, 2006 3:26 AM

Rory McCune said:

Interesting report, makes a nice clear case, and it's good to see all the details on the methodology that was used

I think that the one of the problems with using just CVE data for this kind of work as that first study seems to have, is that it doesn't really lend itself to searching for all vulnerabilities for a given product ... from their FAQ

"B6. Can I search CVE by operating system?

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete."

(yeah I know that this isn't by operating system, but I think that the principle remains :O)

# November 21, 2006 7:26 AM

Rock said:

Litchfield used to be a big critic of MSFT - until they hired him.  Is this yet another case of MSFT buying off someone to shut them up.  

# November 30, 2006 4:52 PM

michael_HOWARD said:

Mr Rock.

>>Litchfield used to be a big critic of MSFT

So you know what? We listened, and we did something. The figures speak for themselves, the SQL team has done a tremendous job.

# November 30, 2006 10:10 PM

Lubomir said:

[snip]

Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle's 10g database at the bottom.

[snip]

(http://www.vnunet.com/vnunet/news/2169225/microsoft-beats-oracle-security)

So Microsoft or Postgres? I think now it comes to performance, but... wait a second:

[snip]

d.  Benchmark Testing. You may not disclose the results of any benchmark test of either the Server Software or Client Software to any third party without Microsoft's prior written approval.

[snip]

(Microsoft SQL Server 2000 EULA)

Okay, so price decides, am I not right?

Anyways, according to "just CVE data", Microsoft SQL Server was affected by 57 issues compared to Postgres' 40 since 1999. Any comments on this, Michael?

# December 4, 2006 11:14 AM

michael_HOWARD said:

>>Any comments on this, Michael?

you bet - it all comes down to "does the database do what you want" - I cannot asnwer that for Postgres, I've never used it! And I know of no customer using it either. Of course, I'm not saying no-one uses it, but I have yet to meet anyone that uses it. I know lots of people running SQL Server, DB2, MySQL, and Oracle, however.

# December 5, 2006 6:10 PM

sandeep said:

what about ms acces?

# December 6, 2006 1:17 AM

K. Scott Allen said:

Does Microsoft have a set of guardian angels? Think of all the killer threats they've seen over the years.Threats...

# June 9, 2007 2:13 PM

BusinessRx Reading List said:

Does Microsoft have a set of guardian angels? Think of all the killer threats they've seen over the years.

# June 9, 2007 2:15 PM
New Comments to this post are disabled
Page view tracker