Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Has More Flaws Than SQL Server

Posted by kdawson on from the nyah-nyah dept.

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

4 of 229 comments (clear)

  1. Reported AND fixed by nels_tomlinson · · Score: 4, Interesting
    From the summary: ... compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006.

    Reported and fixed means that the company which doesn't fix bugs looks more secure. Not that I'm implying that MS is worse than Oracle on this, mind you. I just wanted to point out that this metric has loads of potential flaws.

    --
    See what I've been reading.
  2. In Oracle's (Pseudo) Defence... by Randolpho · · Score: 3, Interesting

    ... they are rather quick to quash and fix a discovered security bug. Yes, there's a reason why I used both words. Check out the aftermath of this example at The Daily WTF.

    --
    "Times have not become more violent. They have just become more televised."
    -Marilyn Manson
  3. Re:Summary title is vague by drinkypoo · · Score: 3, Interesting

    Actually, the name of the product is "Microsoft SQL Server". Still a stupid name but it's not just "SQL Server". Lazy techies are responsible for not using the full name, not that I blame them. What I want to know is how Microsoft managed to convince a court that the name of another product of theirs was actually "Windows" and not "Microsoft Windows" (look at the box sometime!) which forced all those other people to change their product names.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:translation by A_Non_Moose · · Score: 3, Interesting

    Lets face it, a bug report can be anything from a misspelled error message to a gaping sa/root/admin (whatever oracle calls it) compromise.

    If that is the case, oracle's mgmt tools heavy reliance not only on java, but *specific* version of java
    w/o updates I'm aware of, would explain a lot.

    off the top of my head:
    Input fields that don't register the first key press, menu item that don't redraw for some reason, refreshes and connection errors that require exit/relaunch.

    Other frustrations like that, that aren't oracle's "fault" per se, but don't help the spec/check sheet for bugs.

    Didn't RTFA (yet), but are those counted as bugs? I'd like to know.

    --
    Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)