[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4568830E.3010503@pacbell.net>
Date: Sat, 25 Nov 2006 09:53:18 -0800
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@...bell.net>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Opinions are still... just that... opinions.
However Mr. Litchfield is in the category of expert that would be deemed
an "expert witness" in a court of law. His CV is impeccable, his
factual research has much merit, his reputation in this area is
unparalleled.
On the factual evidence of published/known vulnerabilities, the
historically long time to patch, the revisions to released patches when
they are found to not protect are clear evidence of a firm that needs to
perhaps be a tad more security aware. Those are clear historical facts
in evidence in the public arena.
However, one cannot merely jump from the fact that Mr. Litchfield is
beyond reproach to make his mere opinions into facts.
Expert witnesses are bound by the "Daubert test" these days (gotta love
it when even the wikipedia has a link
http://en.wikipedia.org/wiki/Daubert_Standard )
Given his body of knowledge in database security, his resume and all
that, does his opinion hold more weight in persuasion more than
practically anyone else on the planet? Oh yeah. But the parts that are
true "opinion" are still opinion and not fact.
However, Mr. Stopmakingnoise's comment about Microsoft's extremely
negative security records is also opinion, not quantified by facts. era,
nor does in include an acknowledgment of our own responsibility in
security.
In databases, probably the most common and public security event
affecting the database security world, I would argue, was SQL slammer,
an incident that had a patch available ahead of time. Granted it may
not have been the easiest to deploy, but it was there. In my opinion,
those of us consumers of databases need to acknowledge own participation
in security. Having a vendor that takes security seriously is part of
the equation, but buyers and implementers of databases need to do their
part as well. If our line of business applications won't support the
newer, more secure databases, our data is still at risk. And obviously
if we're not patching those databases, we're even more still at risk.
Thor (Hammer of God) wrote:
> Inline:
>
> On 11/24/06 10:46 AM, "stopmakingnoise@...il.com"
> <stopmakingnoise@...il.com> opined:
>
>
>> Having said this, do we really need a paper telling us:
>>
>> - "SQL Server code is just more secure than Oracle code."
>>
>> - "Does Oracle have an equivalent of SDL?
>> Looking at the results, I don‚t think so."
>>
>> - "[...] given these results one should not be looking at Oracle as a serious
>> contender."
>>
>> I don't think so. This is plain FUD.
>> Want to write a paper comparing flaws found in these two DBMS? That's fine.
>> Please write down numbers and graphs, but - please! - refrain from any
>> comments which are not
>> factual but are your own's.
>>
>> To get to the point: I may agree and sympathize with your personal point of
>> view (in fact, I do)
>> but these sentences have NOTHING to do in a supposedly research-oriented
>> paper.
>>
>
> David Litchfield is one of the most predominant security researchers in the
> field, particularly in the area of database security. He and NGS have
> discovered more combined security vulnerabilities in leading DBMS products
> than anyone else in the world.
>
> Given this fact, I think that not only is it appropriate for David to give
> whatever opinions he chooses in his research, but that it is his opinions
> that actually give the research real, tangible, applicable value. With his
> indisputable status as an authority on database security and his unwavering
> integrity, I have no problem whatsoever in considering Dave's opinions to be
> "fact."
>
>
>> As a matter of fact, if we start talking about things such as "looking at
>> Oracle as a serious contender", you wouldn't arrive at the point of evaluating
>> SQL Server because there would be no point at all in considering Microsoft's
>> Operating Systems, given their extremely negative security records, as
>> "serious contenders" themselves.
>>
>
> Any point that you may have had regarding "FUD" and "comments that are not
> factual but one's own" were totally lost by this statement in a sadly ironic
> way.
>
> T
>
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
Powered by blists - more mailing lists