Microsoft SQL Server Runs the Security Table

re: Microsoft SQL Server Runs the Security Table

Mike H. — Thu, 16 Nov 2006 21:02:54 GMT

I don't believe the data at all in this report and anyone who takes a look at the nvd.nist.gov site will see that his numbers are total BS.

It looks like this persons research was based upon doing a few very basic searches in the nvd.nist.gov database. If I do the same searches he used; yes I get 2 results for "Microsoft database" but they have nothing to do with SQL server. One issue is around Visual Studio and another is around some non-Microsoft portal product.

How many of the "hits" in his simple query are totally wrong for Oracle and MySQL? Unless there is a bit better proof than citing a couple poor queries this document means nothing and shouldn't be something Microsoft is proud of.

re: Microsoft SQL Server Runs the Security Table

Rory McCune — Fri, 17 Nov 2006 11:28:43 GMT

Whilst I agree with the overall point, SQL server (especially 2005) is waay better than Oracle/MySQL on the security front, the numbers this study uses seem odd..

They've not specified product version and that's just going to make the numbers very odd, they've also not (that I can see) specified their exact methodology the comment above implies that their methodology may not be the best!

Here's a better (IMO) analysis, using secunia which actually breaks things down well by product

Number of advisories per product from 2003-2006

Microsoft SQL Server 2000 - 10

Microsoft SQL Server 2005 - 0

MySQL 3 - 11

MySQL 4 - 19

MySQL 5 - 5

Oracle 8i - 17

Oracle 9i Enterprise - 23

Oracle 10g - 13

Now I know it's possible to argue the point around severity etc and product age, but I'd say still a pretty clear win for Microsoft...

Which Database is More Secure? Oracle vs Microsoft

Michael Howard's Web Log — Tue, 21 Nov 2006 10:39:23 GMT

I was quite surprised when a number of folks criticized the data used in the report titled " Microsoft