Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Has More Flaws Than SQL Server

Posted by kdawson on from the nyah-nyah dept.

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

5 of 229 comments (clear)

  1. Summary title is vague by ArcherB · · Score: 5, Insightful

    MSSQL is a SQL Server. MySQL is a SQL Server. Oracle is a SQL Server. Please be more specific and explain which SQL Server you are talking about.

    Granted, the summary does explain that the article does indeed refer to MSSQL Server, but please stop calling it just SQL Server. MSSQL Server != SQL Server

    (OK, I feel better. What is the moderation for RANT?)

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  2. Oracle is more complex by sitturat · · Score: 5, Insightful

    Anyone that has tried to read (or even tried to lift up) one of the oracle manuals knows that this is seriously feature-rich and complicated stuff. It would be more interesting to see how many bugs per line of code the two contenders have.

  3. What, specifically, are those "bugs"? by khasim · · Score: 5, Insightful
    Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology, according to NGSS. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database Versions 8, 9 and 10g.

    Let's see that again.

    The study looked at vulnerabilities that were reported and fixed...

    So, if it wasn't fixed, was it counted?

    The results show that Microsoft's software development life-cycle processes appear to be working, he said.

    Huh? Security is not about "software development life-cycle".

    That's why you have almost daily updates of anti-virus software for Microsoft products.

    In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.

    Big time. One remote root vulnerability is worth 10,000 local app crash vulnerabilities.

    "Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."

    Yep. Because Ubuntu has, by default, no open ports. So it is, by default, 100% resistant to worms.

    Remember, you can never count on a user applying a patch. Your system has to be as secure as possible in the default, unpatched, configuration.

    Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group.

    Not only is it not "the best approach", it is a fucking idiotic approach only used by morons who have no understanding of what "security" is.

    It's not the number of bugs. It's what access can be gained by that bug and how easily it is to invoke that bug in the various "standard" configurations.
  4. Re:translation by Anonymous Coward · · Score: 5, Insightful

    I'm not an oracle person, but from my understanding oracle allows you to have finer grained security on data, stored procedures and so on than sql server. Perhaps the complexity of oracle compared to sql server is part of the reason there are more bugs.

    Lets face it, a bug report can be anything from a misspelled error message to a gaping sa/root/admin (whatever oracle calls it) compromise.

    Severity is important. For instance, most popular linux distros (minus gentoo) have quite a few security holes do to third party package inclusion. Often the holes are not severe, but they do make linux look artificially insecure compared to some other operating systems. If redhat pushed 90 updates a month at you and Microsoft only 35... well who looks less secure? How many were feature enhancements? How many did each vendor NOT include a fix for?

    Disclaimer: My above reference to linux distros only includes bloated packages like redhat, suse, etc. Most people using these distros tend to do a "full install". I'm a mysql or sql server user whenever possible.

    Often one could argue that smaller companies get less attention so a large number of vulnerabilities would indicate a very insecure product. Oracle is obviously smaller than microsoft as a whole. In this case, oracle gets a lot of attention as its used for large scale deployments as well as their *lovely* business practices.

  5. Re:translation by ZachPruckowski · · Score: 5, Insightful

    You're right. This survey is pretty messed up. I mean, we're comparing *bugs fixed*. Not bugs still open, or any measure of severity, or what got exploited, or any measure of turn-around time.

    This is like saying that Fire Department A put out less fires than Fire Department B. That's nice, but what I really want to know is how long it took for the trucks to arrive, the size of the fires, and also if there are any houses that burned down before the Fire Department got there.