Es el tema del momento (bueno, por lo menos para el sector friki que nos dedicamos a esto). Empezó Jeff Jones en su blog con una comparación de número de vulnerabilidades entre Oracle y SQL Server 2005 (que ya fué comentado aquí). Para Jeff está claro que la clave del éxito la tiene el proceso de SDL (Security Development Lifecycle) que ha adoptado Microsoft.

Dos reportes más corroboran este punto. David Litchfield, experto de seguridad de bases de datos de NGS Software (famoso por haber descubierto docenas de vulnerabilidades en sistemas de bases de datos), ha publicado un artículo llamado “Which database is more secure? Oracle vs Microsoft” (PDF). Según el artículo de VNUNET:

Microsoft patched 59 vulnerabilities in its SQL Server 7, 2000 and 2005 databases during the period, while Oracle issued 233 patches for software flaws in its Oracle 8, 9 and 10g databases.

The research also pointed out that Microsoft has not issued a single security bulletin for its databases since mid-2003, whereas Oracle has seen a spike in patches in recent years.

Litchfield ranked Microsoft SQL Server 2000 service pack 4 as the most secure database in the market, together with the PostgreSQL open source project. He ranked Oracle’s 10g database at the bottom. 

“It will take me five minutes to find a new bug in the Oracle 10g database, but I cannot do that with SQL Server 2005,” Litchfield told vnunet.com in an interview. 

Litchfield claims to have reported 49 vulnerabilities to Oracle that the company has yet to patch.

Other researchers are sitting on dozens of so-called zero-day vulnerabilities, including security firm Argeniss which plans to have a Week of Oracle Database Bugs in December to demonstrate the vendor’s poor security record.

Además ESG (Enterprise Strategy Group) ha publicado otro informe similar: “Microsoft SQL Server Runs The Security Table” (PDF) que también echa por tierra las pretensiones de Oracle de ser considerado “más seguro” en el mundo empresarial.