Re: how bad are these vulnerabilities?

TG wrote:
> http://www.eweek.com/article2/0,1895,2064828,00.asp?kc=EWEWEMNL112706EP21A
>
> I took a boo at this guys(David Litchfield) white paper, it reads more
> like an infomercial for MS-SQL. Nonetheless the sql server advocates in
> my company are going to try and use this as ammo to convert existing
> oracle db's to ms-sql by brandishing this report to the powers that be..
>

Single biggest factor in that paper, development lifecycle of the RDBMS. In other words it compares as and between sql2000 and Oracle 10g. Presumably the guys advancing the argument are happy to remain at SQL2000 for the next 3-5 years or so.

I'd then be sorely tempted, if security really is a platform decider *most* places sadly it isn't, to do a security review of the applications and code that *currently* exist on both platforms within *your* organisation. I.e How vulnerable are you and what is the source of the vulnerabilities. Most places will fail the review quite badly for things like

easily guessed passwords
storing plain text passwords in the db
not changing default passwords
code that is vulnerable to sql injection ability to ask staff for their password
not securing application code directories appropriately

and so on and on.

Then consider the balance of risk and probability given the profile of attacks (something like 80% from within the organisation last time I looked).

Yes Oracle's record *is* poor and worse than Microsoft's, but vulnerability in the platform software itself isn't usually the biggest cause of a breach of security.

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info/services