Given that NGS Software participated in Microsoft's Security Development Lifecycle [1] and your paper is already being referenced by Microsoft employees [2], the following question should be addressed to ensure the comparison is fair: Did NGS Software find any bugs in a version of SQL Server mentioned in the paper (7, 2005, and 2005) during a private security audit which were disclosed to Microsoft and fixed without being mentioned in a Microsoft security bulletin? If the answer is yes, then it produces two problems pertaining to the paper's accuracy: 1. It (quite significantly) skews the NGS Software comparison paper in favor of Microsoft. Reason: Several (the vast majority?) of the Oracle vulnerabilities mentioned in the paper were found by NGS Software, and similar Microsoft SQL Server vulnerabilities NGS Software found were privately fixed. 2. There is a conflict of interest. Reason: NGS Software has an interest in SQL Server appearing to be more secure (lest it would reflect poorly on NGS Software's auditing capabilities). Further if the answer is yes, NGS Software vulnerabilities found in Oracle subsequent to the NGS Software's first security audit of SQL Server should be excluded from this comparison. If the answer is no, then disregard my comments. Just verifying! [1] "Windows Vista Security Testing" http://blogs.msdn.com/windowsvistasecurity/archive/2006/07/28/681833.asp x [2] "Which Database is More Secure? Oracle vs Microsoft" http://blogs.msdn.com/michael_howard/archive/2006/11/20/which-database-i s-more-secure-oracle-vs-microsoft.aspx -----Original Message----- From: David Litchfield [mailto:davidl@xxxxxxxxxxxxxxx] Sent: Monday, November 20, 2006 8:28 PM To: bugtraq@xxxxxxxxxxxxxxxxx; dbsec@xxxxxxxxxxxxx Subject: Which is more secure? Oracle vs. Microsoft Hey all, What started out as a fun project for me turned out some serious results - "Which is more secure? Oracle vs Microsoft" is a paper I put together looking at the number of security flaws in the Oracle and MS database offerings. For those that are interested, you can grab a copy of the results here: http://www.databasesecurity.com/dbsec/comparison.pdf Cheers, David
