It's probably dangerous to assert that the availability of source code does not make a product more vunerable. I think given an overall picture of what makes a product vunerable, the availability of source (and assuming you are running the product in an unmodified form) clearly adds an element of risk to the use of such a product. I'm not saying that it's the sole reason not to use the product, but it should be a serious consideration. I agree that all software is subject to security vulnerabilities, but I would suggest that it's not the nature of Open source that makes it more secure. Instead what makes a product a likely target of penetration testing is the size of a given products install base and the target value potential that makes a product more or less likely to be target of hack attempts. That's why you will see a product such as Oracle or DB2 or SQL Server have larger penetration risk footprints than say, something obscure like Firebird. As a result of this conjecture, I would expect that an open source database that is in more widespread use, like MYSQL, probably has more identified exploites than something like Firebird. Additionally I'd suggest that a product like Oracle, which has a large functional footprint, is more likely to have discoverable vunerabilities than a smaller functional footprint product (say, MYSQL). Just a few thoughts off the top of my head... RF Robert G. Freeman Oracle ACE Author: Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY SOON! OCP: Oracle Database 11g Administrator Certified Professional Study Guide (Sybex) Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press) Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Features (Oracle Press) Other various titles out of print now... Blog: http://robertgfreeman.blogspot.com The LDS Church is looking for DBA's. You do have to be a Church member in good standing. A lot of kind people write me, concerned I may be breaking the law by saying you have to be a Church member. It's legal I promise! :-) http://pages.sssnet.com/messndal/church/parachurch.pdf ________________________________ From: Matthew Zito <mzito@xxxxxxxxxxx> To: Richard.Goulet@xxxxxxxxxxx; srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx Sent: Tuesday, September 15, 2009 9:58:00 AM Subject: RE : Firebird DB - What Does Anyone Know? I'd also like to strenuously object to the assertion that Open Source = easier to hack into. All software products are vulnerable to security issues, and Oracle's CPUs demonstrate that clearly being closed-source helps them little in terms of identifying them. In fact, there's a long track record in open-source software where random savvy users have identified security vulnerabilities and supplied patches to the community. No opportunity for that with Oracle. I think the maintainability of open-source software is a valid concern, especially if there's not a large company/robust community behind it. To answer your original question, Firebird is fine. It's an embedded database, very lightweight, very nichey. I'm not aware of anyone commercial backing it, except ISVs who embed it. Matt -- Matthew Zito Chief Scientist GridApp Systems P: 646-452-4090 mzito@xxxxxxxxxxx http://www.gridapp.com ________________________________ De: oracle-l-bounce@xxxxxxxxxxxxx de la part de Goulet, Richard Date: mar. 9/15/2009 11:48 À: srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx Objet : RE: Firebird DB - What Does Anyone Know? Scott, OH Boy, been a long time since I looked at Firebird, so this may well be dated. Yes it is open source, not exactly sql compliant, and very poorly protected. A table is a file & the data therein is flat ASCII so very easy to read. Great for small projects with a limited number of users and that is not web attached. Dick Goulet Senior Oracle DBA/NA Team Lead PAREXEL International ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Scott Canaan Sent: Tuesday, September 15, 2009 11:41 AM To: oracle-l@xxxxxxxxxxxxx Subject: Firebird DB - What Does Anyone Know? One of our departments is looking at a product that uses a Firebird database. I’ve done some online research and found out that it is an open source database. I’ve brought this up with the vendor, stating that since its open source it’s easy for hackers to get a copy to play with. Their response was to challenge me to break into their system and database, which I thought was an interesting response. It was the only technical question thrown at them that they got visibly angry about. My question is: Is anyone familiar with this database and how secure it is? If so, does it support any kind of encryption? I’ve not been able to find anything about encryption, either the data itself or network, on this product. In the end, if the department purchases this package, we won’t be supporting the database, but I’m trying to do my due diligence in advising them of any issues, particularly security issues, that I can find. Thank you, Scott Canaan '88 (Scott.Canaan@xxxxxxx) (585) 475-7886 "Life is like a sewer, what you get out of it depends on what you put into it." - Tom Lehrer.