Few topics of conversation have the ability to rile up IT
security managers, vendors and security researchers as much as a
debate over whether one product is inherently more secure than
another. The discussions often revolve around a Microsoft product
versus an open source alternative and resemble theological
arguments, complete with accusations of prejudice, strident
rhetoric and even threats of eternal damnation. Most of these
arguments are good for little other than entertainment as they're
almost always based on subjective opinions and anecdotal
experience.
Comes now David Litchfield, author of a new paper analyzing the
security of
Oracle's
database products and Microsoft SQL Server . Litchfield took
data from Microsoft and Oracle security bulletins, as well as the
MITRE Common Vulnerabilities and Exposures (CVE) database and
SecurityFocus Web site, between December 2000 and November 2006 and
looked at which set of products had more flaws. The results were
startling: Oracle's databases had far more vulnerabilities than SQL
Server.
In 2006 alone, there have been 34 vulnerabilities fixed in
Oracle 10g Release 2; not one flaw has been found in SQL Server
2005 this year. That's a landslide of Reaganesque proportions. If
this had been a boxing match, it would've been stopped in the
middle of the first round. "It is immediately apparent…that
Microsoft SQL Server has a stronger security posture than the
Oracle RDBMS," Litchfield said in the report. "The conclusion is
clear – if security robustness and a high degree of assurance are
concerns when looking to purchase database server software – given
these results one should not be looking at Oracle as a serious
contender."
There is not much equivocation there, nor should there be. Few
people outside of Fort Meade know more about database security than
Litchfield does. He and his brother Mark have spent the last
several years hammering on various database offerings, and have
found dozens of vulnerabilities. This pastime has made them
anathema to some vendors, most notably Oracle, whose security
leaders have clashed publicly with the Litchfields on more than one
occasion. But the Litchfields are well-respected in the security
community, and their opinions carry some weight, a fact that
further chafes the vendors.
Litchfield's study is based on empirical data collected by the
vendors themselves and neutral third parties, giving him a
rock-solid foundation for his conclusion. It seems that the
Microsoft push in recent years to write more secure code is paying
off in spades. Indeed, Litchfield attributes the disparity in the
number of flaws directly to Microsoft's Secure Development
Lifecycle, a detailed methodology designed to help developers build
more resilient and secure products.
"SDL is far and above the most important factor. A key benefit
of employing SDL means that knowledge learnt after finding and
fixing screw ups is not lost; instead it is ploughed back into to
the cycle. This means rather than remaking the same mistakes
elsewhere you can guarantee that new code, whilst not necessarily
completely secure, is at least more secure than the old code,"
Litchfield writes in the paper.
By no means is Redmond doing everything right. They are still
too reluctant to release patches outside of the monthly schedule
and some of the much-discussed transparency around security that
the company's executives have touted has begun to erode. But there
is no question that security is a company-wide priority at
Microsoft these days.
So what, you may ask, has Oracle been doing while Microsoft was
developing and implementing SDL? For starters, they launched a
marketing campaign touting their products as "unbreakable." (In
fairness, the idea for that campaign came from the executive suite
and Oracle's security folks wanted no part of it.) But the company
also began using a source code analysis tool from Fortify Software
late last year to identify vulnerabilities before products ship.
And, Oracle also has begun giving its developers security
training.
These are steps in the right direction for which Oracle should
be applauded. But they're also several years behind the curve
relative to Microsoft, a fact that should be of major concern to IT
security teams as they evaluate potential database purchases. Given
that attackers are increasingly abandoning worms and DDoS attacks
in favor of finding seams in the databases that store sensitive
information, security should be at the top of the priority list for
enterprises and vendors.
Oracle now must try to pull off the same maneuver Microsoft has
and turn the attention of its developers, engineers, product
managers and executives to security. If that means delaying
products or removing features to improve security, then so be it.
The long-term benefits to customers and the company far outweigh
the short-term revenue losses.