Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Open Source-Based Database Completes U.S. Security Review

Posted by EditorDavid on from the red-tape-dispenser dept.

RaDag writes: The U.S. government has published a DoD-validated implementation guide, known as a STIG, for EDB Postgres Advanced Server from EnterpriseDB (EDB). This is a first. No other open source database, or open source-based database, has been through the US government's security review process and gotten a STIG published. Having this guide will help agencies seeking an open source-based alternative to costly traditional vendors like Oracle [and] will speed and ease deployment of EDB Postgres, which has database compatibility for Oracle.
They're now working with the U.S. Army, Navy, Marine Corps, and Air Force, according to a company statement. It also says that the Department of Defense and other U.S. government agencies "seek open source alternatives to traditional proprietary software," and see their database solution as "an opportunity to quickly reduce costs and shift away from expensive proprietary vendors, particularly as public policy initiatives around the world mandate adoption of more open source."

10 of 49 comments (clear)

  1. Certificate to Field by Anonymous Coward · · Score: 5, Informative

    Not really a big deal.
    Having a STIG benchmark is nice and all but "Certificate to Field" has been available for Postgres and MySQL for years. Many instances already fielded in critical gov't systems.

    1. Re:Certificate to Field by Bert64 · · Score: 4, Insightful

      Not having STIG is just one extra excuse used by proprietary vendors to try and exclude open source from contracts...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re:Certificate to Field by Nivag064 · · Score: 3, Insightful

      MySQL is controlled by Oracle, what about MariaDB?

      Either way, if your data is important then you should choose PostgreSQL over either!

    3. Re:Certificate to Field by twistedcubic · · Score: 2

      I agree, My company regular ignores HXU's and simply gets minimal WUD's for running our PFG's.

    4. Re:Certificate to Field by Nivag064 · · Score: 2

      Why?

      Since about 2004, I've at least 4 times searched for PostgreSQL vs MySQL. Each time PostgreSQL came ahead in most areas, including referential integrity, fewer gotcha's in the use of NOT NULL and other SQL features.

      I've worked with both, and find PostgreSQL easier to setup, manage, and to query.

      Have a look at:
      https://wiki.postgresql.org/wi...
      http://insights.dice.com/2015/...
      MySQL vs PostgreSQL - Why you shouldn't use MySQL: https://www.youtube.com/watch?...

      Best to think about what is important in YOUR project given YOUR situation, and do YOUR own search. Note that the pros & cons forever change!

      What is applicable in one situation, may not apply to another. However, I would expect PostgreSQL to be the better choice in most situations.

  2. Not Open Source by Anonymous Coward · · Score: 5, Informative

    While Postgres is open source, and EDB Postgres Advanced Server is based on Postgres, it has several closed source additions. What this means is that the open source database still does not have a STIG. So no, this is not a big win for open source databases, but it is a win for EDB.

    1. Re:Not Open Source by Lennie · · Score: 2

      Well, indirectly it is going to be a win for PostgreSQL of course: EnterpriseDB spends money/developer time on PostgreSQL. The more contracts EnterpriseDB has, the more money they can spent on PostgreSQL developers.

      --
      New things are always on the horizon
  3. Re:In plain English by sumdumass · · Score: 2

    What makes you think that? Nothing with this setup and administration guide to comply with security standards hints to it. And if it did, it would easily be discovered but I'm not sure it matters seeing how this is primarily intended to be used by government contractors working for the government. The NSA technically already has access to it.

  4. This is NOT an open-source database. by emil · · Score: 3, Informative

    EnterpriseDB bundles a PL/SQL implementation that is advertised as compatible with Oracle's procedural SQL language (similar to ADA). This component is NOT open-source.

    http://www.enterprisedb.com/compatibility-explained

    IBM bundles the same PL/SQL emulation code in DB2.

  5. Re: MongoDB DoD STIG by laird · · Score: 2

    MongoDB is clearly a database. It's not an SQL database, but that's kinda the point, in that not being SQL-based makes it much more efficient for developers, and more performant and flexible in accommodating semi-structured data.

    --
    Enable 3D printed prosthetics!