Oracle databases worse than Microsoft's in terms of security
November 27, 2006
Microsoft's databases may be taking the most heat among software vendors for overall security problems. However, they aren't always the ones with the worst record in terms of security breaches. It appears that Oracle now holds that record.
An overall comparison of security vulnerabilities in Microsoft's SQL Server database and Oracle's relational database management (RDBM) products by U.K.-based Next Generation Security Software (NGSS) shows Oracle's databases to have far more vulnerabilities than competing products from the Redmond giant.
According to NGSS, between Dec. 2000 and Nov. 2006, external researchers discovered no less than 233 security vulnerabilities in Oracle's products compared to just 59 in Microsoft's SQL Server.
The study looked at vulnerabilities that were reported and successfully repaired in SQL Server ver. 7, 2000 and 2005 and Oracle's database versions 8, 9, and 10g.
The results of the report reveal that the reputation for relatively poor security that MS SQL server had back in 2002 is no longer deserved, said David Litchfield, founder of NGSS. Also, either is the beating that Microsoft has received for security issues, he said.
"I think it's high time people got past this, especially security researchers," Litchfield said. "We should be about closing holes and improving a vendor's outlook on security and -- largely -- that battle has been won with Microsoft," he said. The results show that Microsoft's software development lifecycle processes appear to be working, he said.
"There are other battles needing to be fought and won -- Oracle being one of them," he said.
In an emailed comment, an Oracle spokeswoman said the number of reported vulnerabilities in a product alone isn't a mere measure of the overall security of that software.
"Database products vary significantly in terms of richness of features and capabilities as well as number of versions and supported platforms," she said. "Measuring security is a very complex process, and users must take a large number of factors into consideration -- including use case scenarios, default configurations, as well as security vulnerability remediation, disclosure policies and practices."
Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, said Pete Lindstrom, an analyst with Midvale, Utah-based Burton Group."Oracle apparently won an ugly contest," Lindstrom said. But "there's got to be other criteria other than known vulnerabilities" for measuring software security, he said.
Until then, "the jury should still be out on what's more or less secure," Lindstrom said. The NGSS report comes at a time when security researchers, irked by what they consider to be Oracle's glacial pace of fixing bugs, are increasingly turning their attention to its products. In October, the company announced fixes for over one-hundred flaws as part of its scheduled quarterly security updates.
Many of the flaws were reported to the company by outside researchers.
Just last week, Argeniss Information Security in Buenos Aires announced plans to disclose one zero-day bug every day for a week in December.
In a note posted on the company's Web site, founder Cesar Cerrudo said the idea is to highlight the current state of Oracle software security. "We want to demonstrate that Oracle isn't getting any better at securing its products," and continues to take a very long time to address bugs, the note said.
"We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is," the note read.
Source: IT World Canada
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing