Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair compariso

from [Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]] Network Security [Permanent Link]
Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Date: Sat, 25 Nov 2006 09:53:18 -0800 
Opinions are still... just that... opinions.

However Mr. Litchfield is in the category of expert that would be deemed an "expert witness" in a court of law. His CV is impeccable, his factual research has much merit, his reputation in this area is unparalleled.

On the factual evidence of published/known vulnerabilities, the historically long time to patch, the revisions to released patches when they are found to not protect are clear evidence of a firm that needs to perhaps be a tad more security aware. Those are clear historical facts in evidence in the public arena.

However, one cannot merely jump from the fact that Mr. Litchfield is beyond reproach to make his mere opinions into facts.

Expert witnesses are bound by the "Daubert test" these days (gotta love it when even the wikipedia has a link http://en.wikipedia.org/wiki/Daubert_Standard )

Given his body of knowledge in database security, his resume and all that, does his opinion hold more weight in persuasion more than practically anyone else on the planet? Oh yeah. But the parts that are true "opinion" are still opinion and not fact.

However, Mr. Stopmakingnoise's comment about Microsoft's extremely negative security records is also opinion, not quantified by facts. era, nor does in include an acknowledgment of our own responsibility in security.

In databases, probably the most common and public security event affecting the database security world, I would argue, was SQL slammer, an incident that had a patch available ahead of time. Granted it may not have been the easiest to deploy, but it was there. In my opinion, those of us consumers of databases need to acknowledge own participation in security. Having a vendor that takes security seriously is part of the equation, but buyers and implementers of databases need to do their part as well. If our line of business applications won't support the newer, more secure databases, our data is still at risk. And obviously if we're not patching those databases, we're even more still at risk.





Thor (Hammer of God) wrote: 
Inline:

On 11/24/06 10:46 AM, "stopmakingnoise@gmail.com"
<stopmakingnoise@gmail.com> opined:

Having said this, do we really need a paper telling us:

- "SQL Server code is just more secure than Oracle code."

- "Does Oracle have an equivalent of SDL?
Looking at the results, I donât think so."

- "[...] given these results one should not be looking at Oracle as a serious
contender."

I don't think so. This is plain FUD.
Want to write a paper comparing flaws found in these two DBMS? That's fine.
Please write down numbers and graphs, but - please! - refrain from any
comments which are not
factual but are your own's.

To get to the point: I may agree and sympathize with your personal point of
view (in fact, I do)
but these sentences have NOTHING to do in a supposedly research-oriented
paper.

David Litchfield is one of the most predominant security researchers in the
field, particularly in the area of database security.  He and NGS have
discovered more combined security vulnerabilities in leading DBMS products
than anyone else in the world.

Given this fact, I think that not only is it appropriate for David to give
whatever opinions he chooses in his research, but that it is his opinions
that actually give the research real, tangible, applicable value. With his
indisputable status as an authority on database security and his unwavering
integrity, I have no problem whatsoever in considering Dave's opinions to be
"fact."

As a matter of fact, if we start talking about things such as "looking at
Oracle as a serious contender", you wouldn't arrive at the point of evaluating
SQL Server because there would be no point at all in considering Microsoft's
Operating Systems, given their extremely negative security records, as
"serious contenders" themselves.

Any point that you may have had regarding "FUD" and "comments that are not
factual but one's own" were totally lost by this statement in a sadly ironic
way.

T




--
Letting your vendors set your risk analysis these days? http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Digipass Go3 Token Dumper (at least for 2006), fcollyer
Next by Date:  Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Steve Friedl
Previous by Thread:  Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Thor (Hammer of God)
Next by Thread:  Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]