Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle vs. Microsoft security (David Litchfield)

Re: Oracle vs. Microsoft security (David Litchfield)

From: William B Ferguson <wbfergus_at_usgs.gov>
Date: Tue, 21 Nov 2006 07:27:27 -0700
Message-ID: <OF5E541CF5.CE4F2A3B-ON8725722D.004CD068-8725722D.004FBEDD@usgs.gov>


Along with Norman's questions, I had a few of my own as well.

Now let me preface this by saying I try to avaoid all this security stuff as much as possible, so I really have no idea, I'm just asking questions.

Isn't the security (ID and password, groups or rolles) of SQL Server tied into the OS, whether running as workgroup or under Active Directory, so if an OS id gets hacked (with database rights), the hacker can go straight into the database?

Now this can be accomplished with Oracle as well, IF the DBA has allowed OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am I right on this part, I don't know.

The author also made a point in the article that his graphs only represent publicly reported and fixed flaws. Both companies aren't really known for being forthcoming, so it's left to the readers imagination which company may be hiding more.

Also, since the graphs only represent publicly reported and fixed flaws (page 3, Q&A), why wasn't another set of graphs done for reported and not fixed?

Also, what are (were) the ramifications of the various flaws? Were all of the security flaws of such catostrophic proportions that somebody could destroy not on the database but the OS as well? Was it restricted to just wiping out the database, or were some restricted to only internal flaws, like a member of one role being able to bypass security to see objects they shouldn't, but not able to destroy the database or OS?

The author also seems to make a big point about the Oracle results only reflecting the listener and the RDBMS and not Application Server or any other Oracle products, but he doesn't make the same qualifications about Microsoft and IIS, though he does say MDAC problems weren't included, since that's OS stuff.

Am I missing stuff that should be blatantly obvious?


                               Bill Ferguson
            U.S. Geological Survey - Minerals Information Team
                           PO Box 25046, MS-750
                           Denver Federal Center
                          Denver, Colorado 80225
           Voice (303)236-8747 ext. 321     Fax   (303)236-4208
      ~ Think on a grand scale, start to implement on a small scale ~




"Norman Dunbar" <norman.dunbar_at_environment-agency.gov.uk> Sent by: oracle-l-bounce_at_freelists.org
11/21/2006 06:39 AM
Please respond to
norman.dunbar_at_environment-agency.gov.uk

To
<oracle-l_at_freelists.org>, <dreveewee_at_gmail.com> cc

Subject
Re: Oracle vs. Microsoft security (David Litchfield)

Hi Andre,

>> Interesting stuff!

>> http://www.databasesecurity.com/dbsec/comparison.pdf

very interesting indeed. I have had a quick look at it, and off the top of my head have a couple (or three) initial thoughts :

... is there 'more' bugs in Oracle because the size of the code(base) is far bigger and more code = more opportunities for errors to creep in ?

... is Oracle far more complex that SQL Server - more complexity = more opportunities for bugs ?

... is it simply because MS don't announce problems with their code and nothing to do with 'SDL' at all ?

I think we should be told.

Obviously, the code I produce has no bugs at all in it, so I'm doing even better than Microsoft - or is it because I don't happen to mention my bugs :o)

Cheers,
Norm.

Norman Dunbar.
Contract Oracle DBA.
Rivers House, Leeds.

Internal : 7 28 2051
External : 0113 231 2051

Information in this message may be confidential and may be legally privileged. If you have received this message by mistake, please notify the sender immediately, delete it and do not copy it to anyone else.

We have checked this email and its attachments for viruses. But you should still check any attachment before opening it.

We may have to make this message and any reply to it public if asked to under the Freedom of Information Act, Data Protection Act or for litigation. Email messages and attachments sent to or from any Environment Agency address may also be accessed by someone other than the sender or recipient, for business purposes.

If we have sent you information and you wish to use it please read our terms and conditions which you can get by calling us on 08708 506 506. Find out more about the Environment Agency at www.environment-agency.gov.uk

--
http://www.freelists.org/webpage/oracle-l



--
http://www.freelists.org/webpage/oracle-l
Received on Tue Nov 21 2006 - 08:27:27 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US