Inline: On 11/24/06 10:46 AM, "stopmakingnoise@xxxxxxxxx" <stopmakingnoise@xxxxxxxxx> opined: > Having said this, do we really need a paper telling us: > > - "SQL Server code is just more secure than Oracle code." > > - "Does Oracle have an equivalent of SDL? > Looking at the results, I don‚t think so." > > - "[...] given these results one should not be looking at Oracle as a serious > contender." > > I don't think so. This is plain FUD. > Want to write a paper comparing flaws found in these two DBMS? That's fine. > Please write down numbers and graphs, but - please! - refrain from any > comments which are not > factual but are your own's. > > To get to the point: I may agree and sympathize with your personal point of > view (in fact, I do) > but these sentences have NOTHING to do in a supposedly research-oriented > paper. David Litchfield is one of the most predominant security researchers in the field, particularly in the area of database security. He and NGS have discovered more combined security vulnerabilities in leading DBMS products than anyone else in the world. Given this fact, I think that not only is it appropriate for David to give whatever opinions he chooses in his research, but that it is his opinions that actually give the research real, tangible, applicable value. With his indisputable status as an authority on database security and his unwavering integrity, I have no problem whatsoever in considering Dave's opinions to be "fact." > As a matter of fact, if we start talking about things such as "looking at > Oracle as a serious contender", you wouldn't arrive at the point of evaluating > SQL Server because there would be no point at all in considering Microsoft's > Operating Systems, given their extremely negative security records, as > "serious contenders" themselves. Any point that you may have had regarding "FUD" and "comments that are not factual but one's own" were totally lost by this statement in a sadly ironic way. T
