Security Curve Weblog

Litchfield plays Nathan to Oracle's David

The Greeks believed that the Oracle at Delphi was the center of the universe (the "navel of world" they called it.) People throughout the Hellenistic (Greek) world would travel to the Oracle to ask all sorts of questions and the Oracle (specifically the priestess within the Oracle) would provide a (usually ambiguous) answer.

Like most ancient cultures, the role of the Oracle was not just to predict the future. There was that too, but like most ancient cultures, the Oracle also had a social role as well. It's true - the Oracle was the one place where kings and queens, emperors and priests could hear the "damning truth" about their policies and actions. If you examine what we know about the Oracle at Delphi or we examine what we know about the Old Testament prophets, we find a surprising amount of social and political commentary within their pronouncements. From a social perspective, this makes sense. For example, consider the case of King David and Uriah the Hittite; who was right there to condemn David for his actions? Nathan the prophet, sure enough. He was right there to tell David where his actions fell short. And he could - the King would be hard pressed politically if there were negative repercussions against a prophet (the prophets were seen as speaking with God's voice, so how could the King retaliate?)

So... where am I going with this? Well, recently I came across a report from David Litchfield about the "resiliency" (resistance to vulnerabilities) of Microsoft's SQL server compared with that of Oracle's database. Interestingly, Microsoft came out on top. This is particularly interesting to me for two reasons - first, I find it ironic that David Litchfield is fulfilling the traditional "Oracular" role of pointing out where the emperor has no clothes, and I find it interesting as well for what it says about the efficacy of the secure coding measures in place at both firms. As you probably know, Oracle uses automated analysis of their code to attempt to reduce vulnerabilities while Microsoft uses an "ingrained process" approach (the SDL). Over the short term, Oracle's approach of using a code-scanning tool is probably cheaper and less intrusive to the development process... but it is not self-reinforcing, so there are no efficiency gains over time - in other words, it requires continued investment: today it costs X to scan the code and tomorrow it costs the same (or more.) Contrast this with Microsoft's approach. While more expensive in the short term, the SDL has the advantage of reinforcing itself over time; in other words, the investment made today will continue to pay off over the long term becoming cheaper and more effective over the long haul. An interesting strategy, and one that I think these results bear out...