More on Database vulnerability numbers

Nov 21st, 2006

Comments: 0
Category: Vulnerability Management

More on Database vulnerability numbers

There’s some more data on comparing Oracle and MS SQL server vulnerability levels over at michael Howards blog.
There’s a link to a study by David Litchfield on the numbers here which pretty much comes to a similar conclusion to looking at the secunia numbers, but does a more accurate job of analysing the findings by looking at a number of sources.
The clear point to be made is that Microsoft have done a very good job on the security of MS SQL server 2005 and if someone were to ask me about a choice between these two “enterprise database” vendors in terms of security, it would be a bit of a no-brainer!
One thing you can see is that this study, whilst still coming to the same conclusion (that MS SQL server is more secure than Oracle) actually has quite different numbers from the ESG study that was quoted in Michael’s earlier blog posting here
At a rough count the NGS paper lists ~58 MS SQL vulnerabilities whilst the ESG one lists less than 10 (there’s no background data so it’s kinda hard to tell), and a similar story for the Oracle one with well over a hundred in the NGS paper and only 70 in the ESG one.
IMO a good reason to actually dig a bit deeper on these things rather than go with something like CVE which isn’t really designed for the purpose. The same result has come out but by being able to see what’s being counted it becomes more believable and less likely to have people be able to argue the stats….

Add a comment

Your email address will not be shared or published. Required fields are marked *