No Joking About SQL Server Security - 26 Feb 2007

Security—or arguably the lack thereof—has long been an area in which Joe Public likes to poke fun at Microsoft. Because so many desktops worldwide run Windows, the popular press has countless opportunities for pointing out Microsoft’s foibles in this space. But it looks like Microsoft might be improving its security reputation, especially in the SQL Server realm. A recent security briefing published by the Enterprise Strategy Group (ESG), “Microsoft SQL Server Runs the Security Table,” ( ) might be of interest to database and security professionals around the world. According to this compelling three-page paper, “ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL in producing secure and reliable database products.”

Could it be true? The ESG report focuses on a review of Common Vulnerabilities and Exposures (CVE) data from the National Institute of Science and Technology (NIST) National Vulnerability Database to compare security vulnerabilities in SQL Server, Oracle, and MySQL. The results were interesting. For 2006, SQL Server currently has 2 CVEs, MySQL has 59 CVEs, and Oracle has 70 CVEs. (Note that although ESG’s paper focuses on SQL Server, Oracle, and MySQL, Sybase has 7 CVEs for 2006 and IBM DB2 has 4.)

I’m not a security expert, and to be honest, I don’t know for sure that the National Vulnerability Database is the only—or best—indicator of database vulnerabilities. But all the vendors who are included in the database self report, and the ESG report says that it used the National Vulnerability Database because it’s a registry that collects data from numerous commercial, academic, and research groups who focus on security matters. The difference between 2 SQL Server CVEs and 70 Oracle CVEs has to mean something.

The report notes that “Microsoft’s results are almost too good to be true.” Honestly, I’d be inclined to discount the report if it weren’t for the connections I have with some members of the SQL Server product and program-management teams. I was with certain Microsoft engineers on the day that Slammer swept the world a few years ago, and I know how embarrassing that event was for Microsoft. I’ve heard all the standard “we’re going to make it better” promises and understand why customers have been skeptical. But I’ve been able to talk to the SQL Server team members who are responsible for implementing those promises, and I know that they take their responsibility very seriously. Usually, the adage “if it looks too good to be true, then it’s probably not true” is correct, but in this case, the good news really is true. Usually, it’s easy to poke fun at Microsoft, but Microsoft has been kicking some serious butt in the race to have a hardened, secure database platform. Read the entire ESG report for more insight about how Microsoft achieved these impressive CVE results for 2006.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.