Oracle Has More Flaws Than SQL Server

jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"

Hold on there!

[RemovableBait]

To quote from the summary:

"compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006."

(emphasis mine)

Now, I'll admit I haven't yet RTFA, but I think we've pretty much been through this before.

Just because there were more bugs reported and fixed in one product than another does not mean that product is more secure . There could have been hundreds of reported but as-yet-unfixed bugs in one of the products that isn't included. One company could have a greater emphasis on patching, squashing more bugs than its competitor. There could be thousands of unreported, unfixed and unknown bugs in both products. Perhaps not all of these bugs are security flaws. One product may have less bugs, but all of them are security related and none of the competitor's are. Need I go on?

The point is that these comparisons are sensationalism. The same happens in the whole 'Number of Linux patches VS Number of Windows patches' and 'Firefox flaws VS IE flaws' arguments -- and we all know the real story with those.