Inline:
On 11/24/06 10:46 AM, "stopmakingnoise@gmail.com"
<stopmakingnoise@gmail.com> opined:
Having said this, do we really need a paper telling us:
- "SQL Server code is just more secure than Oracle code."
- "Does Oracle have an equivalent of SDL?
Looking at the results, I donât think so."
- "[...] given these results one should not be looking at Oracle as a serious
contender."
I don't think so. This is plain FUD.
Want to write a paper comparing flaws found in these two DBMS? That's fine.
Please write down numbers and graphs, but - please! - refrain from any
comments which are not
factual but are your own's.
To get to the point: I may agree and sympathize with your personal point of
view (in fact, I do)
but these sentences have NOTHING to do in a supposedly research-oriented
paper.
David Litchfield is one of the most predominant security researchers in the
field, particularly in the area of database security. He and NGS have
discovered more combined security vulnerabilities in leading DBMS products
than anyone else in the world.
Given this fact, I think that not only is it appropriate for David to give
whatever opinions he chooses in his research, but that it is his opinions
that actually give the research real, tangible, applicable value. With his
indisputable status as an authority on database security and his unwavering
integrity, I have no problem whatsoever in considering Dave's opinions to be
"fact."
As a matter of fact, if we start talking about things such as "looking at
Oracle as a serious contender", you wouldn't arrive at the point of evaluating
SQL Server because there would be no point at all in considering Microsoft's
Operating Systems, given their extremely negative security records, as
"serious contenders" themselves.
Any point that you may have had regarding "FUD" and "comments that are not
factual but one's own" were totally lost by this statement in a sadly ironic
way.
T
