I was reading an article on eWeek (actually a slideshow) that was talking about best practices to apply to secure your database (technically your data). While the usual suspects are there – encryption and access controls and the like (which is great), I was surprised at the recommendation to use open source databases for a more secure environment.
The post says that, since open source are open to more eyes for inspection and such, and potentially has more updates and corrections because of that, that it’s more secure. Budget was also mentioned, but I will leave the whole cost debate to another time.
Security-wise, I can’t imagine an open source database platform being more secure than a commercial database engine. I just can’t see it. Perhaps for a smaller engine, or a smaller market player, but SQL Server and that type of proven, acid-tested environment, I just can’t see it, frankly.
Of course some will say that they can point to vulnerabilities that prove it out, but there are, at any given point in time 0 to “X” things like that going on with *any* engine. This is why updates flow, it’s why patches and service packs exist. I don’t say this to make excuses for SQL Server but rather because it gives me pause and adds one more thing to a discussion with a customer to explain why that stated difference in security might not actually be the case.
It’s like the statement that open-source databases are less expensive. It’s not the whole picture, it’s not a specific look at things that impact that specific customer you’re speaking with, but rather this big, broad, sweeping statement that it’s “better” (or safer, in this case).
I just don’t buy it.
The maturity of SQL Server (and it’s cloud-based cousins) is quite “up there” on the scale of time, effort and care in getting things right. It’s been time-tested, it’s been battle-tested. It has constant updates (as any software must these days), and my personal opinion is that it’s irresponsible to put this type of argument out there in a single paragraph broad statement.
I’m not here to stand up for SQL Server, but when I see these types of statements about the cloud, about databases, about open-source, about ANYTHING in IT at this point, it just makes me wince.