Enterprise Strategy Group on SQL 2005: ``Microsoft Years Ahead...''

Nach der unseligen "Slammer" Geschichte, ist es ja ziemlich ruhig geworden in Bezug auf die Sicherheit von Microsoft SQL-Server. Während Oracle Quartal für Quartal seine ca. 80 Sicherheits Lücken stopft, hört man vom Microsoft SQL-Server diesbezüglich gar nichts. Woher kommt das? Taucht der SQL-Server "unter dem Radar" durch, oder gibt es da andere Gründe?

Anbei ein interessanter Blog Eintrag eines Kollegen aus dem Security Teams: https://blogs.technet.com/security/archive/2006/11/13/enterprise-strategy-group-on-sql-2005-quot-microsoft-years-ahead-quot.aspx

With a year's track-record, SQL Server 2005's positive security performance is being noticed beyond just my own observations (SQL Server 2005 - 1 Year And Not Yet Counting...).  Enterprise Strategy Group (ESG), a technology industry analyst group released a study today comparing the security vulnerability records of SQL Server, Oracle and MySQL.

And before you ask, no, this was not a "sponsored" study. ;-)

My favorite quotation from the brief is:

**

The CVE numbers don’t lie. The noteworthy results of Microsoft’s investments to produce more secure software in SQL Server 2005 are a matter of public record. ESG has talked with customers that have standardized their mission critical applications on Microsoft SQL Server based on security and reliability results. The nature of the security and reliability improvements, namely fundamental changes in the way software is designed, built and tested creates an advantage that Microsoft should be able to sustain with proper execution. ESG considers Microsoft to be years ahead of Oracle and MySQL in producing secure and reliable database products.

Go read the whole report (subscription required) and see what ESG has to say about the SQL Server 2005 vulnerability rate, the Security Development Lifecycle (SDL), Oracle, MySQL and what lessons should be considered by the software industry.