Re: Oracle vs. Microsoft security (David Litchfield)

• From: William B Ferguson <wbfergus@xxxxxxxx>
• To: norman.dunbar@xxxxxxxxxxxxxxxxxxxxxxxxx
• Date: Tue, 21 Nov 2006 07:27:27 -0700

Along with Norman's questions, I had a few of my own as well.

Now let me preface this by saying I try to avaoid all this security stuff 
as much as possible, so I really have no idea, I'm just asking questions.

Isn't the security (ID and password, groups or rolles) of SQL Server tied 
into the OS, whether running as workgroup or under Active Directory, so if 
an OS id gets hacked (with database rights), the hacker can go straight 
into the database?

Now this can be accomplished with Oracle as well, IF the DBA has allowed 
OPS$ logins or IF the id that gets hacked is part of the sysdba group. Am 
I right on this part, I don't know.

The author also made a point in the article that his graphs only represent 
publicly reported and fixed flaws. Both companies aren't really known for 
being forthcoming, so it's left to the readers imagination which company 
may be hiding more.

Also, since the graphs only represent publicly reported and fixed flaws 
(page 3, Q&A), why wasn't another set of graphs done for reported and not 
fixed?

Also, what are (were) the ramifications of the various flaws? Were all of 
the security flaws of such catostrophic proportions that somebody could 
destroy not on the database but the OS as well? Was it restricted to just 
wiping out the database, or were some restricted to only internal flaws, 
like a member of one role being able to bypass security to see objects 
they shouldn't, but not able to destroy the database or OS?

The author also seems to make a big point about the Oracle results only 
reflecting the listener and the RDBMS and not Application Server or any 
other Oracle products, but he doesn't make the same qualifications about 
Microsoft and IIS, though he does say MDAC problems weren't included, 
since that's OS stuff.

Am I missing stuff that should be blatantly obvious?
-----------------------------------------------------------------------------

                               Bill Ferguson
            U.S. Geological Survey - Minerals Information Team
                           PO Box 25046, MS-750
                           Denver Federal Center
                          Denver, Colorado 80225
           Voice (303)236-8747 ext. 321     Fax   (303)236-4208
      ~ Think on a grand scale, start to implement on a small scale ~




"Norman Dunbar" <norman.dunbar@xxxxxxxxxxxxxxxxxxxxxxxxx> 
Sent by: oracle-l-bounce@xxxxxxxxxxxxx
11/21/2006 06:39 AM
Please respond to
norman.dunbar@xxxxxxxxxxxxxxxxxxxxxxxxx


To
<oracle-l@xxxxxxxxxxxxx>, <dreveewee@xxxxxxxxx>
cc

Subject
Re: Oracle vs. Microsoft security (David Litchfield)







Hi Andre,

>> Interesting stuff!

>> http://www.databasesecurity.com/dbsec/comparison.pdf 

very interesting indeed. I have had a quick look at it, and off the top
of my head have a couple (or three)  initial thoughts :

... is there 'more' bugs in Oracle because the size of the code(base)
is far bigger and more code = more opportunities for errors to creep in
?

... is Oracle far more complex that SQL Server - more complexity = more
opportunities for bugs ?

... is it simply because MS don't announce problems with their code and
nothing to do with 'SDL' at all ?

I think we should be told.

Obviously, the code I produce has no bugs at all in it, so I'm doing
even better than Microsoft - or is it because I don't happen to mention
my bugs :o)


Cheers,
Norm.

Norman Dunbar.
Contract Oracle DBA.
Rivers House, Leeds.

Internal : 7 28 2051
External : 0113 231 2051


Information in this message may be confidential and may be legally 
privileged. If you have received this message by mistake, please notify 
the sender immediately, delete it and do not copy it to anyone else.

We have checked this email and its attachments for viruses. But you should 
still check any attachment before opening it.

We may have to make this message and any reply to it public if asked to 
under the Freedom of Information Act, Data Protection Act or for 
litigation.  Email messages and attachments sent to or from any 
Environment Agency address may also be accessed by someone other than the 
sender or recipient, for business purposes.

If we have sent you information and you wish to use it please read our 
terms and conditions which you can get by calling us on 08708 506 506. 
Find out more about the Environment Agency at 
www.environment-agency.gov.uk
--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Oracle vs. Microsoft security (David Litchfield)
    • From: Jared Still

• References:
  • Re: Oracle vs. Microsoft security (David Litchfield)
    • From: Norman Dunbar

Other related posts:

• » Oracle vs. Microsoft security (David Litchfield)
• » Re: Oracle vs. Microsoft security (David Litchfield)
• » Re: Oracle vs. Microsoft security (David Litchfield)
• » Re: Oracle vs. Microsoft security (David Litchfield)

1. Home
2. oracle-l
3. Archive
4. 11-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---