Database Vulnerability numbers

Nov 17th, 2006

Comments: 0
Category: Vulnerability Management

Database Vulnerability numbers

There’s a post over at Michael Howards Blog about a study showing that Microsoft SQL Server has a better security record than Oracle or MySQL.
Whilst I agree with the overall point, SQL server (especially 2005) is waay better than Oracle/MySQL on the security front, the numbers this study uses seem odd..
They’ve not specified product version and that’s just going to make the numbers very odd, they’ve also not (that I can see) specified their exact methodology the comment above implies that their methodology may not be the best!
Here’s a better (IMO) analysis, using secunia which actually breaks things down well by product
Number of advisories per product from 2003-2006
Microsoft SQL Server 2000 – 10
Microsoft SQL Server 2005 – 0
MySQL 3 – 11
MySQL 4 – 19
MySQL 5 – 5
Oracle 8i – 17
Oracle 9i Enterprise – 23
Oracle 10g – 13
Now I know it’s possible to argue the point around severity etc and product age, but I’d say still a pretty clear win for Microsoft…

Add a comment

Your email address will not be shared or published. Required fields are marked *