Vulnerabilities, that is. It has been about a year now since SQL Server 2005, so I thought this would be a good time to review how it has done security-wise. The latest SQL Server product from Microsoft has had zero vulnerabilities disclosed or fixed in its first year of availability.
First, I want to applaud the SQL team as one that really embraced the Security Development Lifecycle (SDL), and, as a result, SQL 2005 went through two passes of the SDL. SQL 2000 SP3 went through a “mini SDL” process (in the sense that there are some portions of the SDL that just can’t be applied to a short serviced pack cycle), getting the internal security training and doing threat models, security testing, etc. By the time SQL 2005 was in development, training, tools and process had made some further improvements in SDL which (optimistically) helped accrue to SQL 2005 security quality.
It has been a good first year for SQL Server 2005, especially taking the overall context into consideration. First, look at the “first 9 months of the year” trends for database security. This chart shows CVE database disclosures during January through September over the past few years:
Reviewing the CVE list, there have been zero SQL Server disclosures since September 2004 and that is the only one in the past 3 years.
I also find it interesting to note that “Unbreakable Oracle” leads the pack in vulnerabilities, followed by MySQL, with a fairly consistent rate of vulnerabilities disclosed.
Note that these numbers were through September, so do not include most of the vulnerabilities from the latest Oracle Critical Patch Update – October 2006, which included 22 database fixes.