NGSSoftware compares Oracle and SQL Server security

2006/11/25

I first saw this at SQL Server MVP Jasper Smith's blog post Which database is more secure? Oracle vs. Microsoft:

NGSSoftware Whitepaper: Which database is more secure? Oracle vs. Microsoft?

Noted security research David Litchfield did a comparison of reported security vulnerabilities in both database platforms. He excluded ancillary pieces such as Oracle's Application Server and just concentrated on the database engine itself. When you look at the numbers, SQL Server has improved greatly with respect to security. Oracle's numbers are high and they don't seem to be going down. Mr. Litchfield attributes this to the Security Development Lifecycle which Microsoft has developed and implemented. Basically, as flaws are discovered, the root cause of those flaws are identified and plugged back into the system so that those types of flaws aren't repeated. The system isn't perfect, as anyone who has worried about patching the OS (like me) can attest to, but at least as far as SQL Server is concerned, it has been a significant improvement.

One other thing of note in this 10 page whitepaper is that Mr. Litchfield does have a short FAQ and he includes a question asking if the reason SQL Server 2005 hasn't had a security flaw reported and fixed is because it isn't receiving scrutiny. His words:

"No -- I know of a number of good researchers are looking at it -- SQL Server code is just more secure than Oracle code."

Good news for SQL Server. But certainly now is not the time to rest on any laurels.

Technorati Tags: SQL Server | Microsoft SQL Server | SQL Server 7.0 | SQL Server 2000 | SQL Server 2005 | Security | Database Security