The health of databases is of critical importance to business managers, application owners and enterprise IT teams. The life of an organization is literally represented inside its database servers. Take away the ability to reliably run enterprise applications or complete customer transactions and you will watch the business come to a standstill. One quantifiable indicator of risk to the enterprise of business disruption, or leakage of confidential data, is the number of vulnerabilities that exist in the technical infrastructure. There is a correlation between the number of vulnerabilities and the number of undiscovered vulnerabilities as well as the risk to the enterprise of an exploit successfully launched against the vulnerable database. It is very clear that the more vulnerabilities that exist, the more likely it is that an attack will be successful.

With this in mind, ESG compiled Common Vulnerabilities and Exposures (CVE) data from the National Vulnerability Database to compare security vulnerabilities between commercial database offerings from Microsoft, Oracle and the open source MySQL. Oracle, traditionally a company that holds its security cards very close to the vest, has been disclosing large numbers of security vulnerabilities over the past few quarters. Microsoft has gone through its own soul-searching when it comes to security, from openly disclosing defects to a complete revamping of its engineering process with its Security Development Lifecycle (SDL). Microsoft SQL Server 2005 is particularly worth examining as it is the first major product release that Microsoft has put through the SDL.

Download pdf Microsoft SQL Server Runs the Security Table