Oracle's database technology is four times less secure that the much-derided SQL Server from Microsoft, a new study has concluded.
While Microsoft and its SQL Server has attracted a load of coverage for security holes, in fact Oracle's relational database management (RDBM) products have far more vulnerabilities, according to researchers at Next Generation Security Software (NGSS).
Between December 2000 and November 2006, NGSS discovered 233 vulnerabilities in Oracle's products compared to 59 in Microsoft's SQL Server technology. The study looked at vulnerabilities that were reported and fixed in SQL Server 7, 2000 and 2005 and Oracle's database versions 8, 9, and 10g.
The results show that the reputation for relatively poor security that SQL server had back in 2002 is no longer deserved, said David Litchfield, founder of NGSS. And neither is the beating that Microsoft has got for security issues, he said.
"I think it's time people got past this, especially security researchers," Litchfield argued. "We should be about closing holes and improving a vendor's outlook on security and - largely - that battle has been won with Microsoft," he said. The results show that Microsoft's software development lifecycle processes appear to be working, he said. "There are other battles needing to be fought and won - Oracle being one of them," he said.
But an Oracle spokeswoman said the number of reported vulnerabilities in a product alone is not a measure of the overall security. "Products vary significantly in terms of richness of features and capabilities as well as number of versions and supported platforms," she said. "Measuring security is a very complex process, and customers must take a number of factors into consideration - including use case scenarios, default configurations as well as vulnerability remediation and disclosure policies and practices."
This argument was partly backed up by Burton analyst Pete Lindstrom. Basing a product's security just on the number of vulnerabilities discovered and fixed may not be the best approach, Lindstrom said. "Oracle apparently won an ugly contest, but there's got to be other criteria other than known vulnerabilities". Until then, "the jury should still be out on what's more or less secure," Lindstrom said.
The NGSS report comes at a time when security researchers, irked by what they consider to be Oracle's glacial pace of fixing bugs, are increasingly turning their attention to its products. In October, Oracle announced fixes for more than 100 flaws as part of its scheduled quarterly security updates. Many of the flaws were reported to the company by outside researchers.
Just last week, Argeniss Information Security announced plans to disclose one zero-day bug every day for a week in December. In a note posted on the company's site, founder Cesar Cerrudo said the idea is to highlight the current state of Oracle software security. "We want to demonstrate that Oracle isn't getting any better at securing its products," he said. "We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is."
Original reporting by Computerworld