Linked by Thom Holwerda on Fri 24th Nov 2006 19:48 UTC, submitted by jayson.knight
Databases Microsoft is beating Oracle hands down with the security of its database, according to a new report. David Litchfield, a security researcher with NGS Software, published a whitepaper entitled Which database is more secure? Oracle vs. Microsoft on 21 November comparing the number of software vulnerabilities patched by both vendors in their respective products in the past six years.
Order by: Score:
SQL Injection
by Jack_Green on Fri 24th Nov 2006 20:36 UTC
Jack_Green
Member since:
2006-01-04

The article mentions the high number of SQL injection reports in Oracle vs MS SQL, but I was under the impression that SQL injection was an issue for the application using the database to worry about, not the database itself. How does a database protect against SQL injection anyway? Isn't the injected code still valid SQL?

Reply Score: 2

RE: SQL Injection
by tomcat on Sat 25th Nov 2006 06:25 UTC in reply to "SQL Injection"
tomcat Member since:
2006-01-06

That's partially correct -- SQL injection attacks are typically associated with application problems, but (1) Oracle has a variety of applications (CRM, etc) that they sell in conjunction with their database, and (2) if Oracle has core stored procedures that receive SQL commands of any kind, it's possible to construct malicious SQL.

Reply Score: 1

RE[2]: SQL Injection
by twitter on Sun 26th Nov 2006 10:28 UTC in reply to "SQL Injection"
twitter Member since:
2005-07-25

I believe the popular interpretation of these things is that if it happens with Microsoft products it's a lack of security in the part of the vendor; if it happens with any other product then it's the developer's fault and the vendor is never to be blamed.

Reply Score: 1

RE[3]: SQL Injection
by NotParker on Sun 26th Nov 2006 19:22 UTC in reply to "RE[2]: SQL Injection"
NotParker Member since:
2006-06-01

I believe the popular interpretation of these things is that if it happens with Microsoft products it's a lack of security in the part of the vendor; if it happens with any other product then it's the developer's fault and the vendor is never to be blamed.

If you had read the paper:

"Only flaws affecting the database server
software itself have been considered in compiling this data so issues that affect, for
example, Oracle Application Server have not been included."

"Oracle's database is suffering from a large number of SQL injection vulnerabilities that can be easily exploited through the web.

SQL injection attacks occur when attackers execute commands or queries by e ntering special code into online forms, thereby tricking the database to expose confidential data.

Litchfield said that the database was especially vulnerable to so-called second order SQL injection flaws. Exploits for such a flaw involve a two-step process in which attackers first enter seemingly harmless information into the database.

But when the data is used in a second query at a later time, it will cause the payload to execute.
"

So, Litchfield isn't cataloging application sql injection vulnerabilities.

Reply Score: 1

sukru
Member since:
2006-11-19

There has been a recent news item on this issue. The SQL server team adopted "Secure Development Lifecycle", which allowed them to run an entire year without any security vulnerabilities. (However, they did issue a security patch after this period).

MSDN bloggers have more information on the subject. I've found http://blogs.msdn.com/michael_howard/ especially relevant.

Edited 2006-11-24 20:45

Reply Score: 3

number of patches as a measure
by Yoda on Fri 24th Nov 2006 20:55 UTC
Yoda
Member since:
2006-05-30

Quote Edsger Dijkstra:

“Program testing can be used to show the presence of bugs,
but never to show their absence.”


Bottom line:

The number of patches in a given timeframe is _not_ a measure to objectivate the number of bugs in a given software-product

(bugs is an uncountable dimension)

Reply Score: 1

RE: number of patches as a measure
by MollyC on Fri 24th Nov 2006 22:33 UTC in reply to "number of patches as a measure"
MollyC Member since:
2006-07-04

Instead of spinning this away, you might want to just accept that Microsoft is improving on the security front. Besides this database server issue, there's also the web server area where IIS6 has had a much better security record than Apache 2 since 2003 (see NotParker's post in today's "Virtualization not mature for consumers" thread (which has been modded down to -4 for no apparent reason):
http://www.osnews.com/permalink.php?news_id=16553&comment_id=185021
).

I know that many of you don't *want* Microsoft to improve security in their products (and when presented with evidence that they are improving, you put your hands over your eyes and ears like the judges in Planet of the Apes), because that's the issue that you use most to bash them (it used to be stability, but Microsoft largely fixed that issue). But you're putting your head in the sand if you think that Microsoft isn't doing anything to address that. The security argument will fade as time goes on, and you'll have to move on to other reasons to bash Microsoft's products. Rather than being upset about it or in denial over it, you should be pleased that a company whose products are so widely used is improving the security of those products.

Reply Score: 5

behemot Member since:
2005-11-14

Microsoft is doing a great job in security, at least on servers where I use some of its software, in the late years. Linuxe, err, I mean some people (followers of the mighty Bruce Perens) just don't like of Microsoft. The comparison became more conclusive if you follow Apache in the 1.3 release and includes IIS 5.x and 4.0.

Reply Score: 1

re: number of patches as a measure
by sukru on Fri 24th Nov 2006 21:32 UTC
sukru
Member since:
2006-11-19

You're right. academic courses teach that software cannot be proven not to contain any bugs. And general experience shows that any non-trivial program will probably contain many.

And you're also right for saying not finding any bug does not mean none exists.

However, the average time one needs to use the software in order to encounter a bug, could be accepted as a good heuristic to show the robustness of the software.

Since it took all the users more than a year to find one bug in SQL Server 2005, and it took the author of the article only 15 minutes to find one in Oracle database, for my personal interests, I can accept that SQL Server is more secure than Oracle offerings. (Yet I cannot claim this is a proof).

Finally, this does not mean that SQL Server has better functionality, user interface or performance. It's only about security. Additionaly the comparison does not include alternatives, especially the open source project PostgreSQL is known to be very secure.

Reply Score: 3

NotParker Member since:
2006-06-01

Finally, this does not mean that SQL Server has better functionality, user interface or performance.

It doesn't rule it out either.

SQL Server has 7 of the top 10 on the TPC-C price/performance chart:

http://www.tpc.org/tpcc/results/tpcc_price_perf_results.asp

And holds #4 on the performance chart (which is usually reserved for very, very expensive setups. In this case the Microsoft entry was around 6 million)

http://www.tpc.org/tpcc/results/tpcc_perf_results.asp

And 2 out of 10 on the culstered results page: http://www.tpc.org/tpcc/results/tpcc_perf_results.asp?resulttype=no...

It's only about security. Additionaly the comparison does not include alternatives, especially the open source project PostgreSQL is known to be very secure.

Postgresql is mentioned in the article.

Reply Score: 3

chemical_scum Member since:
2005-11-02

sukru:
It's only about security. Additionaly the comparison does not include alternatives, especially the open source project PostgreSQL is known to be very secure..

NotParker:
Postgresql is mentioned in the article.

What the article says is:
Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project.

Didn't want to mention how good a FOSS project is eh? NotParker

Edited 2006-11-25 00:42

Reply Score: 1

NotParker Member since:
2006-06-01

Didn't want to mention how good a FOSS project is eh? NotParker

I have no idea whether Postgresql is any good at all, having never used it. I do use SQL 2000 and SQL 2005. And since both of those come in free versions all the way up to Enterprise versions with a lot of fantastic extras such as Reporting, Notifications, Data Mining etc, I prefer them.

Reply Score: 2

tomcat Member since:
2006-01-06

You're right. academic courses teach that software cannot be proven not to contain any bugs.

Not true. Look up Proof of Correctness. It's actually possible to prove that a program has zero defects; however, the cost of applying such proofs to programs increases exponentially over time.

Reply Score: 0

Recent experience
by abdavidson on Sat 25th Nov 2006 01:29 UTC
abdavidson
Member since:
2005-07-06

Just this week at work we queried the way a third party tool was working or not working (I'm not going into it) that interacted with SQL Server 2000/2005.

It interacted in one way with 2005 but in another way with 2000.

The response we got from the company was that with 2000 they took advantage of a security hole to (etc etc etc)

Quite hard to believe actually but given the situation it was the only logical explanation.

So just because patching slowed down doesn't *automatically* follow that it is suddenly rock solid.

Reply Score: 1

RE: Recent experience
by tomcat on Sat 25th Nov 2006 06:34 UTC in reply to "Recent experience"
tomcat Member since:
2006-01-06

So just because patching slowed down doesn't *automatically* follow that it is suddenly rock solid.

As we all (should) know, security through obscurity doesn't work; consequently, Microsoft can't hide flaws from disclosure.

So, I ask, where are all of the reported security vulnerabilities in SQL 2005? If the absence of patches isn't proof of better reliability, then shouldn't the absence of reported vulnerabilites be proof? If not that, then what would suffice? A finger in the wind? Chanting? Crystals?

Reply Score: 3

RE[2]: Recent experience
by abdavidson on Sat 25th Nov 2006 10:37 UTC in reply to "RE: Recent experience"
abdavidson Member since:
2005-07-06

"So, I ask, where are all of the reported security vulnerabilities in SQL 2005? If the absence of patches isn't proof of better reliability, then shouldn't the absence of reported vulnerabilites be proof?"

No the corollary is not implied. Not in any kind of absolute fashion.

What *both* tell you is that so far there have been no issues found and that is a good sign because it implies there are no obvious problems TO be found.

That is it though. I don't personally have any issue with that and don't believe that OSS provides much more security in and of itself though (the usual tired argument lurking in the background whenever security by obscurity is brought up).

Good development process and responsive management of defects and vulnerabilities are far more important than many eyes (with no definition of their skills or technical qualifications) looking at a codebase.

Reply Score: 1

RE[3]: Recent experience
by tomcat on Sun 26th Nov 2006 17:39 UTC in reply to "RE[2]: Recent experience"
tomcat Member since:
2006-01-06

I agree with most of your comments. What I was driving at was ... many people aren't willing to give MS any credit for improving their products' robustness and security. So, in essence, what would it take for the more zealous FOSS supporters to acknowledge that MS's products are simply better in certain circumstances? Personally, I don't see it happening -- at least among the zealots -- but I think that time is the best measure of progress for security. If MS has actually made progress here (and it appears that it has), then the industry as a whole will acknowledge it. After all, stability used to be a huge concern, MS addressed it with XP, and it's generally not much of an issue anymore; hence, the ABMers moved on to play the security card. I have to wonder what they'll attack when security (while not completely diminishing as an issue) becomes less of an issue.

Reply Score: 1

RE[4]: Recent experience
by Tweek on Mon 27th Nov 2006 03:58 UTC in reply to "RE[3]: Recent experience"
Tweek Member since:
2006-01-12

yeah but why do you even care about the zealots.

just ignore them, they dont count anyways and are not in a position to be choosing products

Reply Score: 1

RE[5]: Recent experience
by tomcat on Mon 27th Nov 2006 16:56 UTC in reply to "RE[4]: Recent experience"
tomcat Member since:
2006-01-06

yeah but why do you even care about the zealots.

just ignore them, they dont count anyways and are not in a position to be choosing products


Zealots make the most noise -- and the addle-brained around here tend to parrot their sentiments, like some kind of meme.

Reply Score: 1

MikeekiM
Member since:
2005-11-16

Any time the vast majority of your programming population is learning and using "Asp.Net in 24 hours", and coding and calling the database right from the Asp.net page, without using Command Objects,
then, that page is subject to Sql Injection.

Without calls using Command Objects( PreparedStatements in Java ),
and/or Stored Procedures, you are open to sql injection.

>>Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

Or, it could mean Oracle has a larger programming staff fixing more problems, meaning Oracle is doing more work in this area, and Microsoft is the laggard.

Reply Score: 1

NotParker Member since:
2006-06-01

Or, it could mean Oracle has a larger programming staff fixing more problems, meaning Oracle is doing more work in this area, and Microsoft is the laggard.

It could ... but then again if you read the article:

On page 4 there is a graph with 34 blue blocks for Oracle 10g Release 2 and 0 for SQL 2005:

"These two graphs indicate flaws that have been discovered by external security researchers in both vendors’ flagship database products – namely Oracle 10g Release 2 and SQL Server 2005. No security flaws have been announced for SQL Server 2005."

In the next little Q and A section:

"Q: Do the SQL Server 2005 results have no flaws because no-one is looking at it?

A: No – I know of a number of good researchers are looking at it – SQL Server code is just more secure than Oracle code."

34 to 0 for external researchers finding flaws in Oracle vs SQL 2005.

I consider this pretty conclusive that Microsoft is NOT "the laggard".

Reply Score: 5

Is the test objective?
by walterbyrd on Mon 27th Nov 2006 03:33 UTC
walterbyrd
Member since:
2005-12-31

I have used MS-SQL server, and I found it to be fast and stable. I did not test the security.

However, I have to ask about this test because msft has been know to rig tests before. Msft does it all the time.

Does NGS Software have some special business deal with msft?

Reply Score: 1

RE: Is the test objective?
by NotParker on Mon 27th Nov 2006 08:21 UTC in reply to "Is the test objective?"
NotParker Member since:
2006-06-01

However, I have to ask about this test because msft has been know to rig tests before. Msft does it all the time.

Microsoft haters make unsubstantiated charges like that all the time. They usually have zero facts on their side.

Did Linus pay you?

Reply Score: 0

RE: Is the test objective?
by jayson.knight on Mon 27th Nov 2006 10:01 UTC in reply to "Is the test objective?"
jayson.knight Member since:
2005-07-06

I seriously doubt the test was rigged, however any reports like this done on MS software has to be approved by MS before being publicly released...or at the very least confirmed by MS.

Reply Score: 1

RE[2]: Is the test objective?
by NotParker on Mon 27th Nov 2006 18:01 UTC in reply to "RE: Is the test objective?"
NotParker Member since:
2006-06-01

I seriously doubt the test was rigged, however any reports like this done on MS software has to be approved by MS before being publicly released...or at the very least confirmed by MS.

You didn't read the paper. The paper categorizes security problems. Nothing had to be approved by Microsoft.

Reply Score: 1