Bugtraq mailing list archives
"Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
From: "Matthew Conover" <matthew_conover () symantec com>
Date: Tue, 21 Nov 2006 20:23:12 -0800
Given that NGS Software participated in Microsoft's Security Development Lifecycle [1] and your paper is already being referenced by Microsoft employees [2], the following question should be addressed to ensure the comparison is fair: Did NGS Software find any bugs in a version of SQL Server mentioned in the paper (7, 2005, and 2005) during a private security audit which were disclosed to Microsoft and fixed without being mentioned in a Microsoft security bulletin? If the answer is yes, then it produces two problems pertaining to the paper's accuracy: 1. It (quite significantly) skews the NGS Software comparison paper in favor of Microsoft. Reason: Several (the vast majority?) of the Oracle vulnerabilities mentioned in the paper were found by NGS Software, and similar Microsoft SQL Server vulnerabilities NGS Software found were privately fixed. 2. There is a conflict of interest. Reason: NGS Software has an interest in SQL Server appearing to be more secure (lest it would reflect poorly on NGS Software's auditing capabilities). Further if the answer is yes, NGS Software vulnerabilities found in Oracle subsequent to the NGS Software's first security audit of SQL Server should be excluded from this comparison. If the answer is no, then disregard my comments. Just verifying! [1] "Windows Vista Security Testing" http://blogs.msdn.com/windowsvistasecurity/archive/2006/07/28/681833.asp x [2] "Which Database is More Secure? Oracle vs Microsoft" http://blogs.msdn.com/michael_howard/archive/2006/11/20/which-database-i s-more-secure-oracle-vs-microsoft.aspx -----Original Message----- From: David Litchfield [mailto:davidl () ngssoftware com] Sent: Monday, November 20, 2006 8:28 PM To: bugtraq () securityfocus com; dbsec () freelists org Subject: Which is more secure? Oracle vs. Microsoft Hey all, What started out as a fun project for me turned out some serious results - "Which is more secure? Oracle vs Microsoft" is a paper I put together looking at the number of security flaws in the Oracle and MS database offerings. For those that are interested, you can grab a copy of the results here: http://www.databasesecurity.com/dbsec/comparison.pdf Cheers, David
Current thread:
- Which is more secure? Oracle vs. Microsoft David Litchfield (Nov 21)
- "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Matthew Conover (Nov 22)
- Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) David Litchfield (Nov 22)
- "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Matthew Conover (Nov 22)