First Open Source-Based Database Completes U.S. Security Review

RaDag writes: The U.S. government has published a DoD-validated implementation guide, known as a STIG, for EDB Postgres Advanced Server from EnterpriseDB (EDB). This is a first. No other open source database, or open source-based database, has been through the US government's security review process and gotten a STIG published. Having this guide will help agencies seeking an open source-based alternative to costly traditional vendors like Oracle [and] will speed and ease deployment of EDB Postgres, which has database compatibility for Oracle.
They're now working with the U.S. Army, Navy, Marine Corps, and Air Force, according to a company statement. It also says that the Department of Defense and other U.S. government agencies "seek open source alternatives to traditional proprietary software," and see their database solution as "an opportunity to quickly reduce costs and shift away from expensive proprietary vendors, particularly as public policy initiatives around the world mandate adoption of more open source."

Certificate to Field

[Anonymous Coward]

Not really a big deal.
Having a STIG benchmark is nice and all but "Certificate to Field" has been available for Postgres and MySQL for years. Many instances already fielded in critical gov't systems.

Re:Certificate to Field

[Bert64]

Not having STIG is just one extra excuse used by proprietary vendors to try and exclude open source from contracts...

Re:

[twistedcubic]

I agree, My company regular ignores HXU's and simply gets minimal WUD's for running our PFG's.

Re:

[twistedcubic]

Realizing that switching from a proprietary solution is not just hard, but it is in fact by design (and you're wasting money) provides an incentive to switch.

Re:Certificate to Field

[Nivag064]

MySQL is controlled by Oracle, what about MariaDB?

Either way, if your data is important then you should choose PostgreSQL over either!

Re:

[Anonymous Coward]

Why?

Re:

[Anonymous Coward]

Because of Oracle's track record. See here: http://arstechnica.com/information-technology/2016/07/how-oracles-business-as-usual-is-threatening-to-kill-java

If you're just looking to skim, then skip to the timeline labeled "A brief history of Oracle and open source". However, I recommend reading the entire thing.

Captcha: reviled (no joke)

Re:

[Nivag064]

Why?

Since about 2004, I've at least 4 times searched for PostgreSQL vs MySQL. Each time PostgreSQL came ahead in most areas, including referential integrity, fewer gotcha's in the use of NOT NULL and other SQL features.

I've worked with both, and find PostgreSQL easier to setup, manage, and to query.

Have a look at:
https://wiki.postgresql.org/wi... [postgresql.org]
http://insights.dice.com/2015/... [dice.com]
MySQL vs PostgreSQL - Why you shouldn't use MySQL: https://www.youtube.com/watch?... [youtube.com]

Best to think about what is important in YOUR proj

This is NOT an open-source database.

[emil]

EnterpriseDB bundles a PL/SQL implementation that is advertised as compatible with Oracle's procedural SQL language (similar to ADA). This component is NOT open-source.

http://www.enterprisedb.com/compatibility-explained [enterprisedb.com]

IBM bundles the same PL/SQL emulation code in DB2.

First OS Database?

[pr0t0]

I don't believe EDB Postgres is the the first open source-based database. Better possible headlines might be:

1. First! An open source-based database completes U.S. security review
2. An open source-based database completes U.S. security review for the first time ever
3. First! U.S. security review completed for an open source-based database
4. U.S. security review completed for an open source-based database; a first!

I think #3 would have been a much better choice. Than the current one.

Re:

[merky1]

Do grammar standards apply to headlines? Haven't they always been a little obtuse on purpose? I'd much prefer the grammar nazi's edit the somewhat unintelligible summaries than the headlines.

Re:

[TechyImmigrant]

Do grammar standards apply to headlines?

Yes

Re:

[TechyImmigrant]

Age is judged by one's Slashdot ID.

Re:

[TechyImmigrant]

by "here" he meant America

go back to where you belong sand nigger !

Oh look! A trump supporter.

Re:

[TechyImmigrant]

You are apparently ignorant of Hillary's activities.

As are you, unless you hang with her in her office.

Re:

[TechyImmigrant]

anonymous coward has been here since before there where ID's

AC for the win!

"there where" rhymes with "hair bear".

Automatic disqualification.

Re:

[Dutch Gun]

grammar nazi's

You threw that in there on purpose just to draw them out, didn't you... Clever.

Re:

[Desler]

That isn't what the headline is saying and you know it. Stop being intentionally obtuse. There are plenty of better criticisms of the "editors" than this one.

Re:

[sumdumass]

What makes you think that? Nothing with this setup and administration guide to comply with security standards hints to it. And if it did, it would easily be discovered but I'm not sure it matters seeing how this is primarily intended to be used by government contractors working for the government. The NSA technically already has access to it.

Not Open Source

[Anonymous Coward]

While Postgres is open source, and EDB Postgres Advanced Server is based on Postgres, it has several closed source additions. What this means is that the open source database still does not have a STIG. So no, this is not a big win for open source databases, but it is a win for EDB.

Re:

[Lennie]

Well, indirectly it is going to be a win for PostgreSQL of course: EnterpriseDB spends money/developer time on PostgreSQL. The more contracts EnterpriseDB has, the more money they can spent on PostgreSQL developers.

Re:

[laird]

MongoDB is clearly a database. It's not an SQL database, but that's kinda the point, in that not being SQL-based makes it much more efficient for developers, and more performant and flexible in accommodating semi-structured data.

Hmmmm

[dcw3]

Okay, but how's the handling and 0-60 time?
https://en.wikipedia.org/wiki/... [wikipedia.org]

Still Surprising

[ausekilis]

Considering how in bed the Gov't is with proprietary vendors, it's surprising how there is now this about-face regarding OSS. If you could see each services "Approved Software List", you won't see much by way of OSS. You'll see iTunes, which is funny considering there are laws against personally owned mp3's on gov't computers and remote update sites are disabled, but you won't see MySQL, MariaDB or PostGRES. If you do, then they are typically relegated to "enclaves", and not the big DoD enterprise network.