Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

Inline:

On 11/24/06 10:46 AM, "stopmakingnoise@xxxxxxxxx"
<stopmakingnoise@xxxxxxxxx> opined:

Having said this, do we really need a paper telling us:

- "SQL Server code is just more secure than Oracle code."

- "Does Oracle have an equivalent of SDL?
Looking at the results, I don‚t think so."

- "[...] given these results one should not be looking at Oracle as a serious
contender."

I don't think so. This is plain FUD.
Want to write a paper comparing flaws found in these two DBMS? That's fine.
Please write down numbers and graphs, but - please! - refrain from any
comments which are not
factual but are your own's.

To get to the point: I may agree and sympathize with your personal point of
view (in fact, I do)
but these sentences have NOTHING to do in a supposedly research-oriented
paper.

David Litchfield is one of the most predominant security researchers in the
field, particularly in the area of database security. He and NGS have
discovered more combined security vulnerabilities in leading DBMS products
than anyone else in the world.

Given this fact, I think that not only is it appropriate for David to give
whatever opinions he chooses in his research, but that it is his opinions
that actually give the research real, tangible, applicable value. With his
indisputable status as an authority on database security and his unwavering
integrity, I have no problem whatsoever in considering Dave's opinions to be
"fact."

As a matter of fact, if we start talking about things such as "looking at
Oracle as a serious contender", you wouldn't arrive at the point of evaluating
SQL Server because there would be no point at all in considering Microsoft's
Operating Systems, given their extremely negative security records, as
"serious contenders" themselves.

Any point that you may have had regarding "FUD" and "comments that are not
factual but one's own" were totally lost by this statement in a sadly ironic
way.

T

Relevant Pages

  • Re: Oracle licence question
    ... Edition to SQL Server Enterprise it is not. ... Oracle standard has no Business Intelligence; ... Data Encryption is included with SQL Server Standard, ... Advanced Security is not included with Oracle Standard, ...
    (comp.databases.oracle.server)
  • Re: SQL Server vs Oracle?!
    ... Well, between December 2000 and November 2006, 233 security vulnerabilities were found in Oracle database products by OUTSIDE researchers versus 59 for SQL server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: SQL Server for Oracle DBAs
    ... Name 1 that exposes a physical security software defect in SQL Server 2005. ... Don't forget to post the URL to the KB article or independent security bulletin. ... You went searching for issues in Oracle. ...
    (comp.databases.oracle.server)
  • Re: SQL Server vs Oracle?!
    ... That's a fair point...but, without having a source handy, I'm almost positive that there have been no security issues with SQL Server 2005 while there have been numeruous issues with Oracle's latest offering - 30 something this year alone I believe. ... Oracle has seen a huge increase in security issues lately and has received a ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] RE: Oracle read-only user can insert/update/delete data
    ... I have sent testcases to Oracle too that shows that it works against any oracle version currently ... Buffer Overflow Vulnerability (SCO Security Advisories) ... Mandriva Linux 2006.0/X86_64: ...
    (Full-Disclosure)