Which Database is More Secure? Oracle vs Microsoft


I was quite surprised when a number of folks criticized the data used in the report titled “Microsoft SQL Server Runs the Security Table” from ESG – it was just CVE data!


Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle.


David is no slouch, he has found security bugs in both SQL Server and Oracle. But, I’ll let you draw your own conclusions.

Comments (9)

  1. Rory McCune says:

    Interesting report, makes a nice clear case, and it’s good to see all the details on the methodology that was used

    I think that the one of the problems with using just CVE data for this kind of work as that first study seems to have, is that it doesn’t really lend itself to searching for all vulnerabilities for a given product … from their FAQ

    "B6. Can I search CVE by operating system?

    The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete."

    (yeah I know that this isn’t by operating system, but I think that the principle remains :O)

  2. Rock says:

    Litchfield used to be a big critic of MSFT – until they hired him.  Is this yet another case of MSFT buying off someone to shut them up.  

  3. Mr Rock.

    >>Litchfield used to be a big critic of MSFT

    So you know what? We listened, and we did something. The figures speak for themselves, the SQL team has done a tremendous job.

  4. Lubomir says:

    [snip]

    Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle’s 10g database at the bottom.

    [snip]

    (http://www.vnunet.com/vnunet/news/2169225/microsoft-beats-oracle-security)

    So Microsoft or Postgres? I think now it comes to performance, but… wait a second:

    [snip]

    d.  Benchmark Testing. You may not disclose the results of any benchmark test of either the Server Software or Client Software to any third party without Microsoft’s prior written approval.

    [snip]

    (Microsoft SQL Server 2000 EULA)

    Okay, so price decides, am I not right?

    Anyways, according to "just CVE data", Microsoft SQL Server was affected by 57 issues compared to Postgres’ 40 since 1999. Any comments on this, Michael?

  5. >>Any comments on this, Michael?

    you bet – it all comes down to "does the database do what you want" – I cannot asnwer that for Postgres, I’ve never used it! And I know of no customer using it either. Of course, I’m not saying no-one uses it, but I have yet to meet anyone that uses it. I know lots of people running SQL Server, DB2, MySQL, and Oracle, however.

  6. sandeep says:

    what about ms acces?

  7. Does Microsoft have a set of guardian angels? Think of all the killer threats they’ve seen over the years.Threats…

  8. Does Microsoft have a set of guardian angels? Think of all the killer threats they’ve seen over the years.

Skip to main content