Oracle has more Flaws than MS SQL?

[Jordan]

Study: Oracle database software has more flaws than SQL Server

Microsoft is often unfairly slammed for security issues, says NGSS

November 25, 2006 (Computerworld) -- Microsoft Corp may be taking the most heat among software vendors for security problems, but it's not always the one with the worst record.


A comparison of vulnerabilities in Microsoft's SQL Server database with Oracle Corp.'s relational database management products by Next Generation Security Software Ltd. (NGSS) shows that the latter vendor's products to have far more vulnerabilities than do products from Microsoft.


Between December 2000 and November 2006, external researchers discovered 233 vulnerabilities in Oracle's products compared with 59 in Microsoft's SQL Server technology, according to NGSS, which has worked for Microsoft in the past to make its software products more secure. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database Versions 8, 9 and 10g.


The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved, said David Litchfield, founder of Surrey, England-based NGSS. And neither is the beating that Microsoft has gotten for security issues, he said.


"I think it's time people got past this, especially security researchers," Litchfield said. "We should be about closing holes and improving a vendor's outlook on security and -- largely -- that battle has been won with Microsoft," he said. The results show that Microsoft's software development life-cycle processes appear to be working, he said.


"There are other battles needing to be fought and won -- Oracle being one of them," Litchfield said.


In an e-mailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security of that software.


"Products vary significantly in terms of richness of features and capabilities as well as number of versions and supported platforms," she said. "Measuring security is a very complex process, and customers must take a number of factors into consideration -- including use-case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."




Fully Story

[WingedPanther]

Personally, having used both products, I think you'd have to be touched in the head to voluntarily use Oracle. Their servers are a royal pain to configure.

[Jordan]

I've never configured Oracle but I have watched it (all thirteen CDs). Once it is up and running I prefer Oracle though. I hate MS SQL servers, they irritate me bad.

[Lop]

Would never have guessed that, Oracle seems like such a power house.

[TcM]

Hmm I cant believe that!! I thought that Oracle was the best :S

[Jordan]

Quote:

Originally Posted by Tcm9669

Hmm I cant believe that!! I thought that Oracle was the best :S

Depends on who you talk to and what you need it for. I know guys that prefer MySQL, MS SQL and some of the other smaller ones.

[WingedPanther]

Oracle's tools are written in Java: not a bad language, but very sluggish when interacting with the database.

[Lop]

I like MySQL myself.

[Nightracer]

Wow, that is hard to believe. I would think any MS product would automatically have more flaws.

[TcM]

Quote:

Originally Posted by Nightracer

Wow, that is hard to believe. I would think any MS product would automatically have more flaws.

At least they did something right