Did I change opinion? No way! I'm still an "Oracle brainwashed person"!
But I like the humor of Mogens and I found the title shocking! ;-)
David Litchfield published a (shocking) white paper about database security here (pdf here). Apparently M$ SQL Server beats Oracle on security?! I'm not the right guy to discuss this, as I'm too Oracle minded and I'm not a real security man. Pete Finnigan is more the appropriate guy to comment on this article.
Do I believe the article? No. But as I can't proof anything, I keep my mouth shut...
But I like the humor of Mogens and I found the title shocking! ;-)
David Litchfield published a (shocking) white paper about database security here (pdf here). Apparently M$ SQL Server beats Oracle on security?! I'm not the right guy to discuss this, as I'm too Oracle minded and I'm not a real security man. Pete Finnigan is more the appropriate guy to comment on this article.
Do I believe the article? No. But as I can't proof anything, I keep my mouth shut...
I hope some of you comment on this!
Ok...now obviously I'm biased here (towards Oracle) but I have to take exception to this, one paragraph that jumps out at me is -
ReplyDelete"Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases."
Errr, correct me if I'm wrong, but that only proves that Oracle fixed more bugs...it doesn't mean that it was left with more bugs still unpatched. To take this to the extreme, if Oracle decided not to patch ANY of their bugs would that make them look better? I think not...
The other paragraph that jumps out -
"The research also pointed out that Microsoft has not issued a single security bulletin for its databases since mid-2003, whereas Oracle has seen a spike in patches in recent years."
Again, all that says to me is tha Microsoft did not issue any security bulletins, it is *not* the same as saying there are no security issues. Does the fact that I'm not running around shouting "I left my front door unlocked" mean that my door is locked? No it doesn't...one thing does not necessarily infer the other.
Oh I do like to read articles like that from time to time ;)
In a Dutch forum they're shouting about this too.
ReplyDeleteThe only problem I find, is that some people only read the title!
But I completely agree with you, John, the paper doesn't really "proof" anything ;-)
The only thing it proofs is that MS waited for 5 years to publish a new version of SQL Server and that they don't publish a lot about security ;-)
I have asked Pete Finnegan about David Litchfield's paper. He is writing a blog article about it. Without wishing to preempt Pete I understand he does think the paper is broadly correct but not complete, and hence overall is not fair to Oracle. Also, check out Alex Kornbrust's posting on the Full Disclosure site: http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050798.html
ReplyDeleteCheers, APC
In a Dutch forum they're shouting about this too.
ReplyDeleteSame here, the german "Heise online newsticker has already 203 comments for this news posting :-)
Patrick