I always get a chuckle well not always but often, when I read anything to do with Microsoft vs. “the flavour of the month”. In this case, it looks like the flavour of the month is Oracle.
The articles simple imply that SQL Server is more secure than Oracle. They go on to count the number of vulnerabilities identified over the last few years. It’s scary stuff and I’m sure we’re all running out now to ask our architects and DBAs how quickly we can port over to SQL Server.
I say I get a chuckle with these things because I actually read one of the use-cases from the author.
First off, I need to make a confession. I like Microsoft. They generally make the only software I find practical for my home use. And the keyboard and mice they make are unmatched. The XBox is great too. I also really like Linux and Solaris. Frankly, all the database that I work on, work best on them. Frankly, Oracle also makes the best database software for what it’s built for, and for what most of our clients use it for.
All of these companies are leaders in one way or the other and they have their own faults. I always get that chuckle when I read about Windows flaws. What do researchers expect? I liken it to Michael Jordan. See, I played high school basketball, and I dreamt of making the NBA someday, but then I went to university and common sense kicked in. I still play regularly. And what strikes me is this, when you’re the best player in the league, the opposing team always puts up their best defender against you. MJ became the best in the league, a god–among–ballers if you will, because the other teams consistently made him improve his game. It logically follows that if you have a dominant position in anything, everyone will come after you and expose every flaw in your armour, no matter how insignificant, or complex, or impractical that vulnerability is.
Obviously Microsoft has to work harder to fix its vulnerabilities on the OS front — it’s the undisputed champ. Well, I think the same can be said for Oracle. I think the more important question to be asked is, how many people are actually at risk of being exploited?
A case in point here. It’s the same as the use-case I mentioned above. I’m a developer and a DBA. I’ve written a couple of apps myself. Will anyone ever be able to use this exploit against me? I doubt it. The reason I doubt it is that security isn’t built only in the database, it’s built at the firewall, it’s built into the app, it’s built into the DB. Can you imagine how far a person has to infiltrate into my system before this exploit becomes practical?
At least Oracle came through with the logical response to the threat of having its security vulnerabilities unleashed on the masses: “(We) do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing ‘zero day’ exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack.”
I like this. This shows more commons sense than that displayed by self-trumpeting security analysts threatening the company and putting users at risk. Yee-haw.
I once went to a basketball camp with Leo Rautins, one of the few Canadians to have made it to the NBA and played against Jordan and Larry Bird. (I played against him, and he was awesome, which is kinda sad, because in the NBA, he was actually the worst–performing Canadian player. So it was obvious why I needed to move my career in another direction.) He once told me that the best basketball player in the world is probably rotting away in prison (a reference to the huge numbers of African–American men incarcerated, hugely disproportional to the actual number of African–Americans in the US).
I don’t want to get into a philosophical discussion, since demographics, social policy, stats and crime are some of my hobbies and outside the scope of this article. But the point he was making is that if you don’t see something, how do you know it exists? And by extension, if fewer people are looking, does that mean something isn’t there? There are no scouts scouting American prisons, but he personally knew people with exceptional skill that were playing the penitentiary leagues. The problem is that these people existed but were unknown because no one was looking there.
The same is true with software. If no one is looking for vulnerabilities on a platform, does that inherently mean it is more secure? Is a Mac more secure because it’s better built, or is it more secure because there are fewer threats against it?
I know there’s a risk with these flaws, just as there are risks with using IE. But I still surf using it. Hell, I still use Windows 98 at home on an old AMD k62-450 machine that runs just as well today as it did five years ago. I haven’t been “identity thieved” yet. I have resigned myself to the fact that it’s just a matter of time, and if someone really wants to get to me, they’ll find a way no matter how non-secure or secure my database is. What all these security experts fail to mention is that the vast majority of security exploits are conducted by insiders.
Finally, it comes down to broken trust. That’s something you can’t guard against. Chuckle chuckle… sigh.