Microsoft SQL server stands for enhanced securitry
Enterprise Strategy Group (ESG) has carried out a study called 'Microsoft SQL Server Runs the Security Table'.
They have found that there is a stark contrast between the rate of security vulnerabilities documented in the National Vulnerability Database for Microsoft, MySQL and Oracle.
ESG believes that Microsoft’s investments in secure development processes are responsible for the impressive results in SQL Server quality. ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL in producing secure and reliable database products.
Microsoft has made significant investments in improving the security and integrity of its products, resulting in impressive investments. ESG believes that the other database vendors can benefit from the Microsoft experience and learn from the best practices of Microsoft development:
What has Microsoft done that the industry can learn from?
- Bake security into the core. Security is not a feature that can be sprinkled onto enterprise application systems. It has to be a measured objective from Day One. Microsoft makes every effort to catch defects before they become embedded in designs and source code with mandatory security training of engineering staff, peer review of source code, formal sign-offs of security reviews and rigorous forensic analysis of discovered defects to be sure the organization learns how the defect could have been prevented.
- Reduce attack surfaces. Active interfaces provide entry points for attacker exploits, usually by finding a weakness in parameter handling. Reducing the attack surface provides software products that are easier for Microsoft and its customers to secure. While it is convenient to have all product features tacitly enabled by default, good security practice dictates an “opt-in” approach. Microsoft products will ship in secure configurations where the customer will explicitly enable desirable product features.
- Break the implementation before customers do. This attitude goes way beyond traditional Quality Assurance functions. Engineers, who know the product best, are required to complete a process of Threat Modeling followed by a series of Fuzz Tests. Threat Modeling uses the top engineers to focus on design and architectural linkages to uncover threat scenarios and solutions. Fuzz Tests automate penetration testing of the attack surface with distorted parameters to detect vulnerabilities.
The Microsoft approach is to make building secure products intrinsic to the entire development process. While they may use tools to automate detection of such things as the use of banned routines or insecure coding practices, the real value is in creating awareness, providing education and increasing team responsiveness throughout the organisation. It is a tremendous investment in resources that has taken years in which to achieve demonstrable results in customer deployments.
Call today to set up your server on a Microsoft platform - 0800 458 4545, or request more information online.
