× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2013

Re: DB2 has fairly large # of vulnerabilities in latest SQL 2014 brochure

On 8/6/2013 10:06 AM, Matt Olson wrote:
I was looking at the datasheet for SQL 2014 that will be coming out within the next year or so. What I found interesting is they ranked the major databases by vulnerabilities over a 5 year period. Microsoft SQL was #1 with the fewest vulnerabilities, Oracle and DB2 had by far the most vulnerabilities discovered.

http://download.microsoft.com/download/D/7/D/D7D64E12-C8E5-4A8C-A104-C945C188FA99/SQL_Server_2014_Datasheet.pdf

I'm curious though, I can't seem to find their source of this information on the NIST vulnerability database to corroborate this news.

That's typical, and not just of Microsoft. It's very rare for anything
except peer reviewed papers to have links to original source material.
It's virtually unheard of for an advertisement like the above link.
Worse, the brochure is either sloppy or intentionally misleading in the
citation of the NIST Comprehensive Vulnerability Database. NIST calls
that database the National Vulnerability Database. Picky?

I'm suspecting that most of this is from DB2 on LUW and not the DB2 for i variety as the LUW version is a bit more mainstream.

Thoughts?

That you have to suspect rather than /know/ speaks directly to the
quality of the data we are considering.

The advert says 'Least Vulnerable Database 5 years in a row' and it goes
on to justify that claim with a graph of vulnerability counts. Counts.

Here is a thought experiment for you. If a database has exactly one
vulnerability reported for that 5 year span, is it the least vulnerable?
What if that vulnerability was 'executes all commands as root
regardless of actual authorisation'? If another database has 60
vulnerabilities reported each year for the same 5 year span, would that
be the most vulnerable? What if every one of those vulnerabilities
turned out to be 'allows physical console to access elevated privileges'?

And so, what do I think? Counts are meaningless without understanding
what is included in the count, and all numbers in an advertisement
should be considered embroidery at best.
--buck


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.