Opinions are still... just that... opinions.However Mr. Litchfield is in the category of expert that would be deemed an "expert witness" in a court of law. His CV is impeccable, his factual research has much merit, his reputation in this area is unparalleled.
On the factual evidence of published/known vulnerabilities, the historically long time to patch, the revisions to released patches when they are found to not protect are clear evidence of a firm that needs to perhaps be a tad more security aware. Those are clear historical facts in evidence in the public arena.
However, one cannot merely jump from the fact that Mr. Litchfield is beyond reproach to make his mere opinions into facts.
Expert witnesses are bound by the "Daubert test" these days (gotta love it when even the wikipedia has a link http://en.wikipedia.org/wiki/Daubert_Standard )
Given his body of knowledge in database security, his resume and all that, does his opinion hold more weight in persuasion more than practically anyone else on the planet? Oh yeah. But the parts that are true "opinion" are still opinion and not fact.
However, Mr. Stopmakingnoise's comment about Microsoft's extremely negative security records is also opinion, not quantified by facts. era, nor does in include an acknowledgment of our own responsibility in security. In databases, probably the most common and public security event affecting the database security world, I would argue, was SQL slammer, an incident that had a patch available ahead of time. Granted it may not have been the easiest to deploy, but it was there. In my opinion, those of us consumers of databases need to acknowledge own participation in security. Having a vendor that takes security seriously is part of the equation, but buyers and implementers of databases need to do their part as well. If our line of business applications won't support the newer, more secure databases, our data is still at risk. And obviously if we're not patching those databases, we're even more still at risk.
Thor (Hammer of God) wrote:
Inline: On 11/24/06 10:46 AM, "stopmakingnoise@xxxxxxxxx" <stopmakingnoise@xxxxxxxxx> opined:Having said this, do we really need a paper telling us: - "SQL Server code is just more secure than Oracle code." - "Does Oracle have an equivalent of SDL? Looking at the results, I don‚t think so." - "[...] given these results one should not be looking at Oracle as a serious contender." I don't think so. This is plain FUD. Want to write a paper comparing flaws found in these two DBMS? That's fine. Please write down numbers and graphs, but - please! - refrain from any comments which are not factual but are your own's. To get to the point: I may agree and sympathize with your personal point of view (in fact, I do) but these sentences have NOTHING to do in a supposedly research-oriented paper.David Litchfield is one of the most predominant security researchers in the field, particularly in the area of database security. He and NGS have discovered more combined security vulnerabilities in leading DBMS products than anyone else in the world. Given this fact, I think that not only is it appropriate for David to give whatever opinions he chooses in his research, but that it is his opinions that actually give the research real, tangible, applicable value. With his indisputable status as an authority on database security and his unwavering integrity, I have no problem whatsoever in considering Dave's opinions to be"fact."As a matter of fact, if we start talking about things such as "looking at Oracle as a serious contender", you wouldn't arrive at the point of evaluating SQL Server because there would be no point at all in considering Microsoft's Operating Systems, given their extremely negative security records, as "serious contenders" themselves.Any point that you may have had regarding "FUD" and "comments that are not factual but one's own" were totally lost by this statement in a sadly ironic way. T
--Letting your vendors set your risk analysis these days? http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs