THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Kevin Kline

Who's more secure, Oracle or SQL Server?

 

UK SQL Server MVP Jasper Smith pointed out a really useful resource if you work with or are concerned about both Oracle and SQL Server.  The white paper, by David Litchfield of NGS Software, comparesthe numbers of security flaws identified by external security researchers and subsequently fixed by Oracle and Microsoft in regard to their database products.

http://www.ngssoftware.com/research/papers/comparison.pdf

Here are some interesting quotes:

Q:Do the SQL Server 2005 results have no flaws because no-one is looking at it?

A:No - I know of a number of good researchers are looking at it - SQL Server code is just more secure than Oracle code.

Q:Why have there been so little bugs found in SQL Server since 2002?

A:Three words: Security Development Lifecycle - SDL. SDL is far and above the most important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.

Cheers,

-Kevin

Published Wednesday, July 18, 2007 4:52 PM by KKline
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Evan said:

Very cool..thanks for posting this...

August 1, 2007 10:59 PM

Leave a Comment

(required) 
(required) 
Submit

About KKline

Kevin Kline is a well-known database industry expert, author, and speaker. Kevin is a long-time Microsoft MVP and was one of the founders of PASS, www.sqlpass.org.

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement