Study shows Microsoft more secure than Oracle
Acknowledged database security specialist David Litchfield of NGSSoftware comes to the conclusion in a report that Microsoft's SQL Server has or has had significantly fewer vulnerabilities than Oracle databases. Litchfield counted the bugs discovered and disclosed in official CVE entries (common vulnerabilities and exposures) between December 2000 and November 2006.
59 bugs were discovered and fixed in SQL Server 7, 2000 and 2005 while Oracle released 233 patches for vulnerabilities in its database versions 8, 9 and 10g. In addition Litchfield has reported a further 49 vulnerabilities to Oracle, which have not yet been published and are therefore not included in the statistics. In Litchfield's opinion, SQL Server 2005 is currently the safest server, with not a single vulnerability discovered to date. The open source database PostgreSQL is also said to be very safe. Oracle has long lost it's reputation for being "unbreakable".
Litchfield has even told US media that it takes him just five minutes to find a new bug in Oracle 10g. This is not something that he is able to achieve with MS SQL Server 2005. The reasons for the better quality include Microsoft's Software Development Lifecycle (SDL). This involves measures such as the development of a threat model during the design phase and a statistical code analysis to prevent bugs during implementation. In addition, Microsoft have introduced code audits and security tests. According to Microsoft, the number of security vulnerabilities found by external security specialists in SDL based software is significantly lower than for software developed without SDL.
Analysts from the Enterprise Strategy Group come to the same conclusion as Litchfield - Microsoft's SQL Server leads when it comes to security. In their investigations the authors describe SDL as secure by design, secure by default and secure by deployment. SQL Server 2005 was developed completely within the framework of SDL.
However, other security specialists note that Litchfield was involved, through NGSSoftware, in the Software Development Lifecycle for Vista. It can also not be excluded that vulnerabilities in SQL Server have been found and fixed without there having been an official bug report.
- Which Database is more secure? Oracle vs- Microsoft, report by Litchfield
- Microsoft SQL Server Runs the Security Table, report by ESG