Oracle Has More Flaws Than SQL Server 229
jcatcw writes, "Next Generation Security Software Ltd. of Surrey, England, compared bugs in Oracle and SQL Server that were reported and fixed between December 2000 and November 2006. The tally: Oracle had 233; MS SQL had 59. The products compared were Oracle 8, 9, and 10g; SQL Server 7, 2000 and 2005. From the article: '[The head of the survey said,] "The results show that the reputation that Microsoft SQL Server had back in 2002 for relatively poor security is no longer deserved."' Oracle's response: 'Measuring security is a very complex process, and customers must take a number of factors into consideration — including use-case scenarios, default configurations, as well as vulnerability remediation and disclosure policies and practices.'"
David Litchfied (Score:4, Informative)
NGS have of course done work on SQL Server for Microsoft; I refer you to the brief and rather one-sided flamewar on Bugtraq/FD that erupted when this was pointed out... actually see for yourself [neohapsis.com]... (and here's the Bugtraq thread [neohapsis.com]). I predict this will deal with 75% of the "but this is nonsense, because..." posts ;)
He's got a lot of credibility. This is the point I'm trying to make :)
Re:Summary title is vague (Score:3, Informative)
My experience (Score:5, Informative)
We never contacted Microsoft with anything but the most severe bugs, and only those not documented on their web site. Even having the highest contract possible with Microsoft, they charged us for each phone call. Never once did the first 3 people we talked to have a clue. After going through 3 or 4 people we got to speak to a developer. For every bug except one, we were told to wait for the next official patch or Service Pack to fix our issue. One time we were fortunate enough to have a DLL updated by a developer and sent to us directly. Response by developers was very quick, but the other staff responded slow.
At the same time, Oracle was paying out $10,000 for each bug found. I thought I found the golden ticket. Turns out someone else had reported this extremely obscure bug I found earlier, but it wasn't yet published online anywhere. Every time we contacted Oracle we got to speak to a developer very quickly. On at least one occassion they sent a developer to our office to help investigate a bug. Every bug we reported got a patch very quickly.
The support from Oracle was far far superior to Microsoft. The bugs I ran into with Oracle were also far more obscure than those I found in Microsoft's SQL Server. I couldn't believe some of the things Microsoft left broken for months. Even if Oracle has a larger number of reported bugs I'd pick them over Microsoft any day.
Re:translation (Score:5, Informative)
Thor (Hammer of God) wrote:
David Litchfield is one of the most predominant security researchers in the field, particularly in the area of database security. He and NGS have discovered more combined security vulnerabilities in leading DBMS products than anyone else in the world.
Given this fact, I think that not only is it appropriate for David to give whatever opinions he chooses in his research, but that it is his opinions that actually give the research real, tangible, applicable value. With his indisputable status as an authority on database security and his unwavering integrity, I have no problem whatsoever in considering Dave's opinions to be "fact."
Actually the whole discussion on BUGTRAQ is definitely worth reading. By the way the vulnerability behind Slammer was discovered by guess who - David Litchfield.
Re:My experience (Score:2, Informative)
Not only do even the basement support plans include free support calls, you are never charged if it's a bug in their product. So either you're a very poor communicator, a liar, or what you were calling about wasn't a bug at all.