My good friend Steve the team spook, has written this post about SQL Servers track record on security compared with what many people perceive is the secure database of choice, Oracle. I can only speculate as to why this is the case as I am not an Oracle guru, but it may well be down to Microsoft’s trustworthy computing (TwC) initiative whereby products have a 3D process for ensuring security is a prioirty:
Secure by Design. Stating the obvious here but the products need to be designed to be secure from the ground up. The Microsoft Security Development Lifecycle (SDL) is widely acclaimed and the rest of the software industry has nothing like this particularly in the open source world. But it’s important that this sort of approach is widely adopted so the links above enables others to adopt it, as an organisation is only as secure as its least secure system. Vulnerabilities dropped from 16 to 3 when it was applied to SQL Server 2000(read more here).
Secure by Default. SQL Server , Windows Server 2008 etc. installs with what James O’Neill on our team and James T Kirk on the Enterprise would call “shields up”. That is to say no ports are open and all features are off so you have to specifically open up just the bits you need, like being able to access SQL Server from a remote machine, and setting up TCP/IP and named ports connectivity. So you setup the environment the way you want and then open up the connectivity when your happy with it, like the way you don’t let people into a new building until it’s safe and signed off by the dreaded health and safety.
Secure by Deployment. Microsoft is not perfect (no really it isn’t), and new threats are coming out all the time so fixes patches and advice are released as soon as possible. For example, the most recent set of security updates for SQL 7, 2000 and 2005 resolve four privately disclosed vulnerabilities. For details of the affected systems and vulnerabilities see Microsoft Security Bulletin MS08-040. If you have already applied Cumulative Update 7 back in April or higher for SQL Server 2005 SP2 then you have these fixes as they were included.
There are also shed loads of Security white papers and advice for example:
- Microsoft Source Code Analyzer for SQL Injection
- Security White Papers for setting up Microsoft products to set vertical industries such as banking
- Security Update for Windows Server 2003 (KB948110). A security issue has been identified in the Microsoft SQL Server 2000 Desktop Engine (WMSDE) that could allow an attacker to compromise your Microsoft Windows-based system and gain control over it. BTW note that although SQL Serve 2000 is no longer supported if vulnerabilities are found they will be fixed.
Finally if SQL Server really is insecure, then show me the evidence as I am sure if there were any serious issues they would be all over the Register, FARK and Slashdot like a rash in about 10 nanoseconds and then sit their for centuries.