Take That!

  • Take That!

    SQL Slammer is ancient news. Along with the worm preying on blank sa passwords, those were the darkest days of SQL Server security. I know they'll still be brought up constantly, but they're really a long way in the past. I know Oracle had issues last year and earlier this year getting their patches out in a timely manner, but they've improved quite a bit over the years as well.

    However, according to an analyst for the Enterprise Security Group, SQL Server is the safest database with only 2 volnerabilities compared to Oracle's 70, MySQL's 59, and DB2's 4. Sybase rounds out the big ones with 7. I didn't get the report since I'm not sure it's worth the $500 they're charging, but it's interesting to see such a disparity.

    And I think it speaks to the tremendous effort put into the development of SQL Server 2005. As much as I might complain at times about the way the product has developed or been handled, I think the team at Microsoft has done a fantastic job and they've really focused on security. It's a tough problem to work on and I know that I places I've been annoyed at the tremendous granularity, but overall a good system has been implemented.

    As with any report or survey or anything including statistics, you have to take it with a grain of salt to be sure that you can understand how they arrived at their information. However this is certainly one I'll enjoy sharing with my Oracle friends 🙂

    Steve Jones

  • Wow, that's interesting!  I know a lot of open-source advocates tout how much more secure open-source products; e.g. Linux, Apache, MySQL, etc; are compared to Microsoft's offerings.  Neat to see Microsoft doing well in this area.  I wonder if MySQL users retort will be, "Well so what...it's free!"

  • Not sure. I do agree that SQL Server is definitely a good product, but it's worth bearing in mind that a substantial proportion of its security is palmed off onto the server OS and the network OS. Active Directory and Windows in its various guises have a whole tranche of security issues, so I wonder how well SQL Server would score if the relevant (i.e. directly equivalent to what Oracle has to do on its own) OS vulnerabilities were included too.

    Also worth bearing in mind that anyone looking for vulnerabilities will tend to spend their effort on the systems that'll provide greatest returns.

    My guess is that all the DB manufacturers are doing a pretty similar job on security, and the disparity in scores is a result of these two issues instead.

    Semper in excretia, suus solum profundum variat

  • It is nice to see SQL Server getting some positive press on the security side. SQL Slammer was big news because of its impact on non-related systems (and networks).

    However, even given these vulnerabilities, most of the time data is compromised not through a vulnerability in the database software, but rather in the application code accessing said database software. This is a point I often try to make when people start getting into "my database product is better than yours" type of arguments. SQL injection will get any of these. Poor access control in the application will take you down regardless of how tightly your database server is secured. And stolen laptops which aren't encrypted containing sensitive data... yeah, well, it doesn't really matter what the database software is, does it?

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply