Newsgroups: comp.databases.oracle.server Path: text.usenetserver.com!out02a.usenetserver.com!news.usenetserver.com!in02.usenetserver.com!news.usenetserver.com!postnews.google.com!news4.google.com!news.glorb.com!sws1!ornl!news.er.usgs.gov!news From: Brian Peasland Subject: Re: how bad are these vulnerabilities? In-Reply-To: X-Nntp-Posting-Host: edc-cv-160-66.cr.usgs.gov Content-Type: text/plain; charset=windows-1252; format=flowed Message-ID: User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) Sender: news@igsrsparc2.er.usgs.gov (Janet Walz (GD) x6739) Content-Transfer-Encoding: 8bit Organization: U.S. Geological Survey, Reston VA References: Mime-Version: 1.0 Date: Thu, 30 Nov 2006 03:51:29 GMT Lines: 57 Xref: usenetserver.com comp.databases.oracle.server:418349 X-Received-Date: Wed, 29 Nov 2006 22:54:19 EST (text.usenetserver.com) TG wrote: > http://www.eweek.com/article2/0,1895,2064828,00.asp?kc=EWEWEMNL112706EP21A > > I took a boo at this guys(David Litchfield) white paper, it reads more > like an infomercial for MS-SQL. Nonetheless the sql server advocates in > my company are going to try and use this as ammo to convert existing > oracle db's to ms-sql by brandishing this report to the powers that be.. > To quote from the article, "The conclusion is clear—if security robustness and a high degree of assurance are concerns when looking to purchase database server software—given these results one should not be looking at Oracle as a serious contender". On the surface, one might take this seriously. But lets consider other factors. For starters, MS SQL Server *must* run on MS Windows, the least secure OS in major use today. You're better off running Unix as the OS...and you can't run SQL Server on Unix. I'm more afraid of hacks in to our servers than our databases. And time and time again, it has been proven that there a many, many times more successful hacks on the OS than on the database. Additionally, great database security experts like David Litchfield and Pete Finnigan have gone to great lengths to find the security holes in the Oracle database *and* work with Oracle to get those holes fixed. (Whether or not Oracle Corp is as responsive as we'd like them to be in this manner is another question). I have not yet seen the same effort applied to SQL Server. This does not mean that the security holes do not exist though. Finally, the article really does not do security justice. The white paper mentioned in the article makes its determination *solely* on the number of *known vulnerabilities* in Oracle and SQL Server. Nowhere in the white paper are these vulnerabilities classified by the impact should the known exploit be used. Not all security vulnerabilities are equal. The white paper does not address the features in either database that make the data and the database more secure. If it did, Oracle would win on that front. This white paper alone, is hardly any justification for moving your company's applications to SQL Server. Cheers, Brian -- =================================================================== Brian Peasland dba@nospam.peasland.net http://www.peasland.net Remove the "nospam." from the email address to email me. "I can give it to you cheap, quick, and good. Now pick two out of the three" - Unknown