David Litchfield has published a comparison of the security of the SQL Server and the Oracle products at http://www.databasesecurity.com/dbsec/comparison.pdf and he has clearly pointed out that SQL Server 2005 is more secure.
For those of us who do not know Litchfield’s work, here is a bio copy-pasted from http://www.oreillynet.com/pub/au/1609:
"David Litchfield leads the world in the discovery and publication of computer security vulnerabilities. This outstanding research was recognized by Information Security Magazine who voted him as ‘The World’s Best Bug Hunter’ for 2003. To date, David has found over 150 vulnerabilities in many of today’s popular products from the major software companies (the majority in Microsoft, Oracle). David is also the original author for the entire suite of security assessment tools available from NGSSoftware. This includes the flagship vulnerability scanner Typhon III, the range of database auditing tools NGSSquirrel for SQL Server, NGSSquirrel for Oracle, OraScan and Domino Scan II."
I came across his work around two years ago while going thru some materials on http://www.blackhat.com/, and have been reading him ever since - he has always come across as simple and direct, and of course brilliant. If you use any of his products, or go thru his publications on http://www.databasesecurity.com/, you too will agree with me.
Litchfield credits the superior security of SQL Server to the Security Development Lifecycle followed at Microsoft. SDL indeed is perhaps the biggest reason for the falling security bug-counts of the our products, and we have been sharing our learnings with the industry thru various forums, articles, webcasts, books, etc. In fact, recently Mike Howard and Steve Lipner’s The Security Development Lifecycle was released – I had already read Howard’s Writing Secure Code and 19 Deadly Sins, and was thinking that the SDL book would be very processes-oriented and boring, but was delighted to find that it was not – it is a very pragmatic book and I would heartily recommend it to everyone!
-
Pandurang Nayak