Monthly Archives: November 2006

David Litchfield has published a paper “Oracle Vs. SQL Server” on his website http://www.databasesecurity.com you can download it directly from here.

This seems to follow on from a posting I noticed a few weeks back from a Microsoft blog of Jeff Jones regarding SQL Server 2005.

So this highlights the fact that Microsoft are starting to make progress with their SDL program and Oracle don’t seem to have a handle on Security.

However this can also provide people with a false sense of security. These reports are looking specifically at the vulnerabilities of the products only e.g. MS SQL Server and Oracle. Consider the database code that your developer has created:

• Has he or she developed code with security in mind?
• Do they even know about writing secure code?

It might be very possible that your database which happens to be sitting on your SQL 2005 server is bypassed with a SQL injection.