[dbsec] Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

  • From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
  • To: "Matthew Conover" <matthew_conover@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <dbsec@xxxxxxxxxxxxx>
  • Date: Wed, 22 Nov 2006 10:57:27 -0000

Hi Matt,

Given that NGS Software participated in Microsoft's Security Development
Lifecycle [1] and your paper is already being referenced by Microsoft
employees [2], the following question should be addressed to ensure the
comparison is fair:
Did NGS Software find any bugs in a version of SQL Server mentioned in
the paper (7, 2005, and 2005) during a private security audit which were
disclosed to Microsoft and fixed without being mentioned in a Microsoft
security bulletin?

No. Additionally, if I was to find a bug in released code today Microsoft would fix it as usual and a public announcement would be made. It is imperative for both Microsoft and NGSSoftware that NGSSoftware is seen to be independent and not "in the pocket" of Microsoft. Since working with Microsoft we have been publicly credited in many Microsoft Bulletins - here's the list for 2006 alone:


The bottom line is that Oracle really is just more buggy.

Other related posts:

  • » [dbsec] Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)