Oracle should heed report touting SQL Server security

A prominent security researcher sheds light on Oracle's security lapses, but how will the vendor respond? As Dennis Fisher explains, Oracle should look internally.

Few topics of conversation have the ability to rile up IT security managers, vendors and security researchers as much as a debate over whether one product is inherently more secure than another. The discussions often revolve around a Microsoft product versus an open source alternative and resemble theological arguments, complete with accusations of prejudice, strident rhetoric and even threats of eternal damnation. Most of these arguments are good for little other than entertainment as they're almost always based on subjective opinions and anecdotal experience.

Oracle security:

Podcast: The state of Oracle security

Oracle bulletins will rank patches, offer more detail

Oracle DBAs mixed on security progress

Comes now David Litchfield, author of a new paper analyzing the security of Oracle's database products and Microsoft SQL Server . Litchfield took data from Microsoft and Oracle security bulletins, as well as the MITRE Common Vulnerabilities and Exposures (CVE) database and SecurityFocus Web site, between December 2000 and November 2006 and looked at which set of products had more flaws. The results were startling: Oracle's databases had far more vulnerabilities than SQL Server.

In 2006 alone, there have been 34 vulnerabilities fixed in Oracle 10g Release 2; not one flaw has been found in SQL Server 2005 this year. That's a landslide of Reaganesque proportions. If this had been a boxing match, it would've been stopped in the middle of the first round. "It is immediately apparent…that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS," Litchfield said in the report. "The conclusion is clear – if security robustness and a high degree of assurance are concerns when looking to purchase database server software – given these results one should not be looking at Oracle as a serious contender."

There is not much equivocation there, nor should there be. Few people outside of Fort Meade know more about database security than Litchfield does. He and his brother Mark have spent the last several years hammering on various database offerings, and have found dozens of vulnerabilities. This pastime has made them anathema to some vendors, most notably Oracle, whose security leaders have clashed publicly with the Litchfields on more than one occasion. But the Litchfields are well-respected in the security community, and their opinions carry some weight, a fact that further chafes the vendors.

Litchfield's study is based on empirical data collected by the vendors themselves and neutral third parties, giving him a rock-solid foundation for his conclusion. It seems that the Microsoft push in recent years to write more secure code is paying off in spades. Indeed, Litchfield attributes the disparity in the number of flaws directly to Microsoft's Secure Development Lifecycle, a detailed methodology designed to help developers build more resilient and secure products.

"SDL is far and above the most important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code," Litchfield writes in the paper.

By no means is Redmond doing everything right. They are still too reluctant to release patches outside of the monthly schedule and some of the much-discussed transparency around security that the company's executives have touted has begun to erode. But there is no question that security is a company-wide priority at Microsoft these days.

So what, you may ask, has Oracle been doing while Microsoft was developing and implementing SDL? For starters, they launched a marketing campaign touting their products as "unbreakable." (In fairness, the idea for that campaign came from the executive suite and Oracle's security folks wanted no part of it.) But the company also began using a source code analysis tool from Fortify Software late last year to identify vulnerabilities before products ship. And, Oracle also has begun giving its developers security training.

These are steps in the right direction for which Oracle should be applauded. But they're also several years behind the curve relative to Microsoft, a fact that should be of major concern to IT security teams as they evaluate potential database purchases. Given that attackers are increasingly abandoning worms and DDoS attacks in favor of finding seams in the databases that store sensitive information, security should be at the top of the priority list for enterprises and vendors.

Oracle now must try to pull off the same maneuver Microsoft has and turn the attention of its developers, engineers, product managers and executives to security. If that means delaying products or removing features to improve security, then so be it. The long-term benefits to customers and the company far outweigh the short-term revenue losses.

Read more on IT risk management