Neuer Security Brief (in englisch) von der Enterprise Strategy Group (Eric Ogren) über Vulnerabilities & Exposures von SQL-Server, MySQL und Oracle
Enterprise Strategy Group analyst Eric Ogren issues a very positive, non-commissioned research brief praising Microsoft SQL Server security in comparison to industry competitors. Ogren highlights the respective number of common vulnerabilities & exposures (CVEs) in SQL Server, Oracle, and MySQL products; SQL Server proves to be the most secure since 2003. This extremely favorable report includes a nod to Microsoft's Security Development Lifecycle (SDL) and a concluding recommendation that other database vendors look at SQL Server - and the SDL - as examples of secure development and deployment for their own products.
Zusätzlicher Artikel (englisch):
Study: Oracle database software has more flaws than SQL Server
Microsoft is often unfairly slammed for security issues, says NGSS
No Joking About SQL Server Security
by Brian Moran, firstname.lastname@example.org
I'm a Microsoft fan, but I admit that telling Microsoft jokes is almost as easy as telling lawyer jokes. (I hope my legal team isn't reading this, taking offense, and padding their bills to me in retaliation.) Security--or arguably the lack thereof--has
long been an area in which Joe Public likes to poke fun at Microsoft. Because so many desktops worldwide run Windows, the popular press has countless opportunities for pointing out Microsoft's foibles in this space.
But it looks like Microsoft might be improving its security reputation, especially in the SQL Server realm. A recent security briefing published by the Enterprise Strategy Group (ESG), "Microsoft SQL Server Runs the Security Table,"
http://lists.sqlmag.com/t?ctl=41E4C:3655D3 ) might be of interest to database and security professionals around the world. According to this compelling 3-page paper, "ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL
in producing secure and reliable database products."
Hmm. Wow. Could it be true? I'm not from Missouri, but I believe in the words of the state's nickname, The Show-Me State. Seeing is believing-- unless you're at a magic show.
The ESG report focuses on a review of Common Vulnerabilities and Exposures (CVE) data from the National Institute of Science and Technology (NIST) National Vulnerability Database to compare security vulnerabilities in SQL Server, Oracle, and MySQL. The results
were interesting. For 2006, SQL Server currently has two CVEs, MySQL has 59 CVEs, and Oracle has 70 CVEs. (Note that although ESG's paper focuses on SQL Server, Oracle, and MySQL, Sybase has seven CVEs for 2006 and IBM DB2 has four.)
I'm not a security expert, and to be honest, I don't know for sure that the National Vulnerability Database is the only--or best--indicator of database vulnerabilities. But all the vendors who are included in the database self report, and the ESG report
says that it used the National Vulnerability Database because it's a registry that collects data from numerous commercial, academic, and research groups who focus on security matters. The difference between two SQL Server CVEs and 70 Oracle CVEs has to mean
The report notes that "Microsoft's results are almost too good to be true," and the Missouri lover in me also marvels at the reported results. Honestly, I'd be inclined to discount the report if it weren't for the connections I have with certain members
of the SQL Server product and program-management teams. I was with certain Microsoft engineers on the day that Slammer swept the world a few years ago, and I know how embarrassing that event was for Microsoft. I've heard all the standard "we're going to make
it better" promises and understand why customers have been skeptical. But I've been able to talk to the SQL Server team members who are responsible for implementing those promises, and I know that they take their responsibility very seriously. Usually, the
adage "if it looks too good to be true, then it's probably not true" is correct, but in this case, the good news really is true. Usually it's easy to poke fun at Microsoft, but Microsoft has been kicking some serious butt in the race to have a hardened, secure
Slammer, and the incessant wave of security patches that followed, forced Microsoft to make hard decisions about the way that security would be managed, and at one point caused a many-months-long delay of new work on SQL Server 2005 and 2000 as massive engineering
resources were pumped into detailed code review and design reviews to ensure that security was "baked into the core," as some Microsoft folks like to say. Read the entire ESG report for more insight about how Microsoft achieved these impressive CVE results
for 2006. Instead of "it's too good to be true," perhaps this time the best advice is "don't look a gift horse in the mouth."