So, the other week we discussed (cursorily) the ongoing fallout from Dave Litchfield's report regarding the security of Oracle vs. SQL Server. One of the interesting reflections on this comes from Illuminata; if you get a chance, I highly recommend that you read through their discussion on this.
Now, the Illuminata position is that the security of Oracle has eroded over time (that they have more vulnerabilities now than they have in previous versions of the product) while the security of Microsoft's SQL Server has increased. I think this is a useful observation... The only thing that I would point out would be the fact that proving their assertion would be difficult; for example, we've had an uptick in the amount of research activity across the same time window as the increase in Oracle's vulnerabilities. Given that, it could be that the security of Oracle hasn't eroded - it's just that there's more research nowadays. But, normalizing the increase in vulnerabilities against the research growth curve is more math than I feel like doing this morning, so I'll buy in to their assumption for the sake of argument.
Their next assertion is also interesting - which is that other Microsoft products like IE and Windows have also had an increase in overall security, but because of holes in the existing product base, users have not yet begun to pick up on the improvements. Interesting, too. I would tend to agree with this. However, I think there's more going on than just interaction with legacy products that increase the perception of Microsoft products as having security problems. Specifically, there is pressure from competitors, marketing dollars from Apple and others to paint the products as insecure, as well as third-party apps that detract from the security of the individual products.
So, go read this post if you haven't yet. Pay special attention to the part where they tell Oracle that their customers are starting to take notice of issues in the product, and also keep in mind that Illuminata is not a security-specific analyst firm so the fact that they are interested in this means that it's of interest to the IT community outside of just security.
Posted by Ed at December 5, 2006 09:56 AM | TrackBack