I’m a Microsoft fan, but I admit that telling Microsoft jokes is almost as easy as telling lawyer jokes. (I hope my legal team isn’t reading this, taking offense, and padding their bills to me in retaliation.) Security--or arguably the lack thereof--has long been an area in which Joe Public likes to poke fun at Microsoft. Because so many desktops worldwide run Windows, the popular press has countless opportunities for pointing out Microsoft’s foibles in this space.
But it looks like Microsoft might be improving its security reputation, especially in the SQL Server realm. A recent security briefing published by the Enterprise Strategy Group (ESG), “Microsoft SQL Server Runs the Security Table,” ( http://www.microsoft.com/presspass/itanalyst/docs/ESGNov2006SQLServerSecurity.pdf ) might be of interest to database and security professionals around the world. According to this compelling 3-page paper, “ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL in producing secure and reliable database products.”
Hmm. Wow. Could it be true? I’m not from Missouri, but I believe in the words of the state’s nickname, The Show-Me State. Seeing is believing--unless you’re at a magic show.
The ESG report focuses on a review of Common Vulnerabilities and Exposures (CVE) data from the National Institute of Science and Technology (NIST) National Vulnerability Database to compare security vulnerabilities in SQL Server, Oracle, and MySQL. The results were interesting. For 2006, SQL Server currently has two CVEs, MySQL has 59 CVEs, and Oracle has 70 CVEs. (Note that although ESG’s paper focuses on SQL Server, Oracle, and MySQL, Sybase has seven CVEs for 2006 and IBM DB2 has four.)
I’m not a security expert, and to be honest, I don’t know for sure that the National Vulnerability Database is the only--or best--indicator of database vulnerabilities. But all the vendors who are included in the database self report, and the ESG report says that it used the National Vulnerability Database because it’s a registry that collects data from numerous commercial, academic, and research groups who focus on security matters. The difference between two SQL Server CVEs and 70 Oracle CVEs has to mean something.
The report notes that “Microsoft’s results are almost too good to be true,” and the Missouri lover in me also marvels at the reported results. Honestly, I’d be inclined to discount the report if it weren’t for the connections I have with certain members of the SQL Server product and program-management teams. I was with certain Microsoft engineers on the day that Slammer swept the world a few years ago, and I know how embarrassing that event was for Microsoft. I’ve heard all the standard “we’re going to make it better” promises and understand why customers have been skeptical. But I’ve been able to talk to the SQL Server team members who are responsible for implementing those promises, and I know that they take their responsibility very seriously. Usually, the adage “if it looks too good to be true, then it’s probably not true” is correct, but in this case, the good news really is true. Usually it’s easy to poke fun at Microsoft, but Microsoft has been kicking some serious butt in the race to have a hardened, secure database platform.
Slammer, and the incessant wave of security patches that followed, forced Microsoft to make hard decisions about the way that security would be managed, and at one point caused a many-months-long delay of new work on SQL Server 2005 and 2000 as massive engineering resources were pumped into detailed code review and design reviews to ensure that security was “baked into the core,” as some Microsoft folks like to say. Read the entire ESG report for more insight about how Microsoft achieved these impressive CVE results for 2006. Instead of “it’s too good to be true,” perhaps this time the best advice is “don’t look a gift horse in the mouth.”