Study: Oracle database software has more flaws than SQL Server
Microsoft is often unfairly slammed for security issues, says NGSS
Computerworld - Microsoft Corp may be taking the most heat among software vendors for security problems, but it's not always the one with the worst record.
A comparison of vulnerabilities in Microsoft's SQL Server database with Oracle Corp.'s relational database management products by Next Generation Security Software Ltd. (NGSS) shows that the latter vendor's products to have far more vulnerabilities than do products from Microsoft.
Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology, according to NGSS, which has worked for Microsoft in the past to make its software products more secure. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database Versions 8, 9 and 10g.
The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved, said David Litchfield, founder of Surrey, England-based NGSS. And neither is the beating that Microsoft has gotten for security issues, he said.
"I think it's time people got past this, especially security researchers," Litchfield said. "We should be about closing holes and improving a vendor's outlook on security and -- largely -- that battle has been won with Microsoft," he said. The results show that Microsoft's software development life-cycle processes appear to be working, he said.
"There are other battles needing to be fought and won -- Oracle being one of them," Litchfield said.
In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.
"Products vary significantly in terms of richness of features and capabilities as well as number of versions and supported platforms," she said. "Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."
Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. "Oracle apparently won an ugly contest," he said. But "there's got to be other criteria other than known vulnerabilities" for measuring software security, Lindstrom said.
Until then, Lindstrom said, "the jury should still be out on what's more or less secure."
The NGSS report comes at a time when security researchers, irked by what they consider to be Oracle's glacial pace of fixing bugs, are increasingly turning their attention to its products. In October, the company announced fixes for over 100 flaws as part of its scheduled quarterly security updates. Many of the flaws were reported to the company by outside researchers.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!