Thursday, December 28, 2006

Movie?

Few days ago I got a chance of being a part of something like Jackass movie, and for reasons everybody know (you watched jackass? NO? Watch it and you will be from those who know the reasons), I didn't go, so I thought about something else, you know it?

Think for a while and when you got the answer read the rest of the post :)

Simply I though about something, what if I do my own movie?
What it would take?

1- Good Camera (I got one).

2- Crew (many friends are here).

3- Story (I could write a complete story in less than 1 hour).

4- Cars, clothes, etc (available).

So I decided to do it, I've already made the story, and the only thing remaining is to find the crew who won't refuse to do the movie, it may be in both language, English and Arabic.

Stay tuned :)




Wednesday, December 27, 2006

Perception vs. Reality

There's a nice picture I was seeing every day in my floor in my building whenever I am going to my office, only last week I though about its meaning, when someone is thinking about a software, and he's designing it, his perception about the size of the software, number of expected bugs, customers' cases, etc, would be something like this:

But when you actually go and begin working in the product, suddenly you found that the reality is something like this:

So usually make sure that you're working in a Chihuahua and not a Boxer.

Tuesday, December 12, 2006

Which RDBMS is very secure: SQL Server vs. Oracle

I found this nice comparison between Oracle and SQL Server in Security:




Let's zoom-in into the graph a little bit:



Now as you see no security flaws have been reported in SQL Server 2005 since it has been released.

Interpretation of results - some Q and A

Do Oracle’s results look so bad because it runs on multiple platforms?
No – pretty much most of the issues are cross-platform. In the 10gR2 graph every flaw affects every platform.

Do the SQL Server 2005 results have no flaws because no-one is looking at it?
No – I know of a number of good researchers are looking at it – SQL Server code is just more secure than Oracle code.

Do you have any predictions on the Oracle January 2007 Critical Patch Update?
Maybe – NGSSoftware are currently waiting for Oracle to fix 49 security flaws – these will be fixed sometime in 2007 and 2008.

Do these results contain unfixed flaws?
No – only those that have been publicly reported and fixed are in the data.

Why have there been so little bugs found in SQL Server since 2002?
Three words: Security Development Lifecycle – SDL. SDL is far and above the most important factor. A key benefit of employing SDL means that knowledge learnt after finding and fixing screw ups is not lost; instead it is ploughed back into to the cycle. This means rather than remaking the same mistakes elsewhere you can guarantee that new code, whilst not necessarily completely secure, is at least more secure than the old code.


Microsoft SQL Server
Security issues and fixes in SQL Server 7, 2000 and 2005 since December 2000 to November 2006. Five MDAC security flaws over this period of time have not been included in these results because MDAC is part of Windows and not SQL Server.



Oracle
Security issues and fixes in Oracle 8, 9 and 10 since December 2000 to November 2006.Only security issues found in the TNS Listener and the RDBMS itself have been includedin the following graph. This means issues found in components such as the IntelligentAgent or the Oracle Application Server have not been included.



Source:
http://www.databasesecurity.com/dbsec/comparison.pdf

More Information:
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-cerrudo.pdf