Microsoft SQL Server: World's most secure RDBMS

Hey, that's a pretty controversial headline for a mild-mannered blog like this one! But I think it's supported by evidence.

In November of 2006, Enterprise Strategy Group released an "Information Security Brief" that makes the following conclusions, based on Common Vulnerabilities and Exposures (CVE) data from the National Vulnerability Database:

• Oracle’s results over the past two years show that much work has to be done to bring the vulnerabilities into line with competing database products from IBM, Microsoft, MySQL and Sybase.
• ESG considers Microsoft to be years ahead of Oracle and MySQL in producing secure and reliable database products.
• Microsoft’s results are almost too good to believe, and thus serve as a model for other database vendors.

During that same month, David Litchfield did a separate study based on a broader set of data and reported:

• It is immediately apparent...that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS.
• The conclusion is clear – if security robustness and a high degree of assurance are concerns when looking to purchase database server software – given these results one should not be looking at Oracle as a serious contender.

Even before those reports were compiled, Cesar Cerrudo of Argeniss put together this presentation in which he provides lists of Oracle security flaws and SQL Server security strengths and asks, in apparent exasperation, "Why do you think [Oracle] is Secure?" And, "Why do you think [Microsoft] is not Secure?"

It's interesting that Microsoft has several pages on its website where you can find articles like these (albeit not these specific ones) touting the security of SQL Server, while I couldn't find anything on Oracles site (and I looked) citing independent analyses that provide evidence that Oracle is more secure than SQL Server...and Oracle has had a couple of years to respond.

OK...so, all of this does NOT mean that SQL Server is better than Oracle. Recent releases of Oracle 11g and related products offer all kinds of features that SQL Server doesn't. I'm certain that there are literally thousands of companies currently using Oracle that would be foolish to consider a switch to SQL Server. There may even be hundreds of companies that should seriously consider switching from SQL Server to Oracle, for any number of valid reasons.

But, c'mon, think about it: Microsoft SQL Server more secure than Oracle??? Are we talking about the same Microsoft and Oracle? Unbreakable Oracle?

And don't forget that ESG found SQL Server to be more secure than MySQL...and MySQL doesn't have a target painted on its back. Hackers exploiting flaws in MySQL would be like animal rights activists vandalizing PETA headquarters. Well, not exactly, but it makes an entertaining simile.

In any case, SQL Server has worked great for us. We're looking forward to using some of the features in SQL Server 2008. I'll try to describe how we end up taking advantage of those features in future posts.