lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 Nov 2006 20:23:12 -0800
From: "Matthew Conover" <matthew_conover@...antec.com>
To: <davidl@...software.com>, <bugtraq@...urityfocus.com>,
	<dbsec@...elists.org>
Subject: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)

Given that NGS Software participated in Microsoft's Security Development
Lifecycle [1] and your paper is already being referenced by Microsoft
employees [2], the following question should be addressed to ensure the
comparison is fair:
Did NGS Software find any bugs in a version of SQL Server mentioned in
the paper (7, 2005, and 2005) during a private security audit which were
disclosed to Microsoft and fixed without being mentioned in a Microsoft
security bulletin?

If the answer is yes, then it produces two problems pertaining to the
paper's accuracy:
1. It (quite significantly) skews the NGS Software comparison paper in
favor of Microsoft. Reason: Several (the vast majority?) of the Oracle
vulnerabilities mentioned in the paper were found by NGS Software, and
similar Microsoft SQL Server vulnerabilities NGS Software found were
privately fixed.
2. There is a conflict of interest. Reason: NGS Software has an interest
in SQL Server appearing to be more secure (lest it would reflect poorly
on NGS Software's auditing capabilities).

Further if the answer is yes, NGS Software vulnerabilities found in
Oracle subsequent to the NGS Software's first security audit of SQL
Server should be excluded from this comparison.

If the answer is no, then disregard my comments. Just verifying!

[1] "Windows Vista Security Testing"
http://blogs.msdn.com/windowsvistasecurity/archive/2006/07/28/681833.asp
x 
[2] "Which Database is More Secure? Oracle vs Microsoft" 
http://blogs.msdn.com/michael_howard/archive/2006/11/20/which-database-i
s-more-secure-oracle-vs-microsoft.aspx

-----Original Message-----
From: David Litchfield [mailto:davidl@...software.com] 
Sent: Monday, November 20, 2006 8:28 PM
To: bugtraq@...urityfocus.com; dbsec@...elists.org
Subject: Which is more secure? Oracle vs. Microsoft

Hey all,
What started out as a fun project for me turned out some serious results
- 
"Which is more secure? Oracle vs Microsoft" is a paper I put together 
looking at the number of security flaws in the Oracle and MS database 
offerings. For those that are interested, you can grab a copy of the
results 
here: http://www.databasesecurity.com/dbsec/comparison.pdf
Cheers,
David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ