Bugtraq mailing list archives
Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 22 Nov 2006 10:57:27 -0000
Hi Matt,
Given that NGS Software participated in Microsoft's Security Development Lifecycle [1] and your paper is already being referenced by Microsoft employees [2], the following question should be addressed to ensure the comparison is fair: Did NGS Software find any bugs in a version of SQL Server mentioned in the paper (7, 2005, and 2005) during a private security audit which were disclosed to Microsoft and fixed without being mentioned in a Microsoft security bulletin?
No. Additionally, if I was to find a bug in released code today Microsoft would fix it as usual and a public announcement would be made. It is imperative for both Microsoft and NGSSoftware that NGSSoftware is seen to be independent and not "in the pocket" of Microsoft. Since working with Microsoft we have been publicly credited in many Microsoft Bulletins - here's the list for 2006 alone:
http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx http://www.microsoft.com/technet/security/bulletin/ms06-mar.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx The bottom line is that Oracle really is just more buggy. Cheers, David
Current thread:
- Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Matthew Conover (Nov 22)
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 22)
- "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Matthew Conover (Nov 22)