Microsoft SQL vs Oracle : David Litchfield Comparison Paper

From what most will consider a more authoritative source than me, David Litchfield, a new paper addresses the question Which database is more secure? Oracle vs. Microsoft.

I recently analyzed the first year of SQL Server 2005 in SQL Server 2005 – 1 Year And Not Yet Counting… and the Enterprise Security Group recently asserted their opinion that “…ESG considers Microsoft to be years ahead of Oracle…”

David Litchield (of NGSSoftware and www.databasesecurity.com) published a paper last week that compares the vulnerability track record of Microsoft SQL and Oracle databases over the past 6 years, as shown in these two charts snipped from the paper:

And how does Litchfield explain the strong Microsoft results in reducing the occurence of securiyt vulnerabilities?  No silver bullet, but an old refrain to those following Microsoft security… Security Development Lifecycle

Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the most
important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.

About the Author
Jeff Jones

Director, Trustworthy Computing

Recognized as one of 25 Most Powerful Voices in Security, Jeff Jones is a 27-year security industry professional that has spent the last decade at Microsoft helping drive security progress as part of the Trustworthy Computing initiative. In this role, Read more »