請猜, Oracle和MS SQL兩大資料庫那個比較安全呢? RRS feed

  • 一般討論

  • NGSSoftware的David Litchfield在2006年11月21日所發佈的研究報告中(,
    並且裡頭摘要了David的研究報告中, Litchfield說:『我五分鐘就能在Oracle 10g中發現一個新BUG,但是對於SQL Server 2005我做不到。』,
    這出乎我的意料之外,因為研究的樣本是從SQL Server 7/2000,一直到SQL Server 2005,
    我自己是使用MS SQL, 但總一直認為,或者聽別人說Oracle在各方面比SQL Server要好,後來就信以為真了,
    如今有第三者的客觀測試,其結果雖然令我意外,但也讓我更加有信心繼續使用MS SQL Server了。


    節錄Litchfield中的針對研究Q & A

    Q1. Do Oracle’s results look so bad because it runs on multiple platforms?
    A1. No – pretty much most of the issues are cross-platform. In the 10gR2 graph every flaw affects every platform.

    Q2. Do the SQL Server 2005 results have no flaws because no-one is looking at it?
    (SQL Server 2005查無任何的問題是否因為沒有去找它的碴 ?)
    A2. No – I know of a number of good researchers are looking at it – SQL Server code is just
    more secure than Oracle code.
    (錯,就我所知道有一群研究人正在找SQL Server 2005的碴, 只是SQL Server的程式比Oracle更安全)

    Q3. Do you have any predictions on the Oracle January 2007 Critical Patch Update?
    A3. Maybe – NGSSoftware are currently waiting for Oracle to fix 49 security flaws – these
    will be fixed sometime in 2007 and 2008.
    (或許吧, NGSoftware一直等著Oracle來修補49個問題,而修補完這些問題可以會在明年至後年才能完成吧.)

    Q4. Do these results contain unfixed flaws?
    A4 . No – only those that have been publicly reported and fixed are in the data.
    (不是的, 這裡發現到的問題是那些公開已被修復的.)

    Q5. Why have there been so little bugs found in SQL Server since 2002?
    A5. Three words: Security Development Lifecycle – SDL. SDL is far and above the most
    important factor. A key benefit of employing SDL means that knowledge learnt after
    finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This
    means rather than remaking the same mistakes elsewhere you can guarantee that new
    code, whilst not necessarily completely secure, is at least more secure than the old code.

    給MS SQL一個肯定的掌聲.

    2006年11月25日 上午 08:55