Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Comparison Oracle vs Microsoft

Comparison Oracle vs Microsoft

Ratings: (0)|Views: 108|Likes:
Published by rrbbyy
Best comparison between MS SQL 2005 and Oracle 10g databases describe here.
Best comparison between MS SQL 2005 and Oracle 10g databases describe here.

More info:

Published by: rrbbyy on Sep 08, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/16/2011

pdf

text

original

 
Which database is more secure?Oracle vs. Microsoft
David Litchfield [davidl@ngssoftware.com]21
st
November 2006An NGSSoftware Insight Security Research (NISR) Publication©2006 Next Generation Security Software Ltdhttp://www.ngssoftware.com 
 
Introduction
This paper will examine the differences between the security posture of Microsoft’s SQLServer and Oracle’s RDBMS based upon flaws reported by external security researchersand since fixed by the vendor in question. Only flaws affecting the database serversoftware itself have been considered in compiling this data so issues that affect, forexample, Oracle Application Server have not been included. The sources of informationused whilst compiling the data that forms the basis of this document include:TheMicrosoft Security Bulletinsweb pageTheOracle Security Alertsweb pageTheCVE websiteat Mitre.TheSecurityFocus.comwebsiteA general comparison is made covering Oracle 8, 9 and 10 against SQL Server 7, 2000and 2005. The vendors’ flagship database servers are then compared.
The Comparison
Oracle Microsoft
[See below for larger graphs]The two graphs above show the number of security flaws in the Oracle and Microsoftdatabase servers that have been discovered and fixed since December 2000 untilNovember 2006. Each block represents a single issue with the sole exception of thesingle block in Q2 2005 of the Microsoft graph. This represents Service Pack 4 andwhilst there are no related security bulletins or bugs listed on bugtraq the author felt itworthy of inclusion.
 
 
Oracle 10g Release 2 Microsoft SQL Server 2005
These two graphs indicate flaws that have been discovered by external securityresearchers in both vendors’ flagship database products – namely Oracle 10g Release 2and SQL Server 2005. No security flaws have been announced for SQL Server 2005.It is immediately apparent from these four graphs that Microsoft SQL Server has astronger security posture than the Oracle RDBMS.
Interpretation of results - some Q and A
Do Oracle’s results look so bad because it runs on multiple platforms?
No – pretty much most of the issues are cross-platform. In the 10gR2 graph every flawaffects every platform.
Do the SQL Server 2005 results have no flaws because no-one is looking at it?
No – I know of a number of good researchers are looking at it – SQL Server code is justmore secure than Oracle code.
Do you have any predictions on the Oracle January 2007 Critical Patch Update?
Maybe – NGSSoftware are currently waiting for Oracle to fix 49 security flaws – thesewill be fixed sometime in 2007 and 2008.
Do these results contain unfixed flaws?
No – only those that have been publicly reported and fixed are in the data.
Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the mostimportant factor. A key benefit of employing SDL means that knowledge learnt afterfinding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. Thismeans rather than remaking the same mistakes elsewhere you can guarantee that newcode, whilst not necessarily completely secure, is at least more secure than the old code.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->