Memo to Larry Ellison: The Roman Coliseum halted gladiator combats around 435 A.D. SAP has thrown in the towel and has no interest in continuing a court battle. Hewlett-Packard executives are refusing to accept service on your lawsuits and HP’s newly named chief executive Leo Apotheker is laying low, presumably dodging your increasingly vituperative verbal assaults. You’ve got no takers for the bloody, bare knuckles brawl you crave. What does that tell you?

It should signal an end to the Circus Maximus sideshow but it won’t.

No one desires this much attention or sticks their chin out spoiling for a fight like Ellison. And in an industry like high tech that’s overflowing with giant egos, that’s saying something. It’s true that Ellison’s antics always make for reams and reams of good copy. Reporters calling for comments on the latest developments don’t even bother to suppress their mirth. Enough is enough, though. The Larry Ellison Show would be more amusing if corporate customers weren’t getting caught in the crossfire.

“When two elephants fight, it is the grass that gets trampled.”

– African proverb

Hewlett-Packard Co. and Oracle Corp.’s decision to settle the lawsuit over Oracle’s hiring of Mark Hurd as co-President after weeks of public wrangling is welcome news to everyone but the corporate attorneys.

But don’t expect the two vendors to just pick up and resume their former close partnership. It got very ugly, very fast. And the reverberations from Hurd’s hiring to HP’s recent appointment of Leo Apotheker, as the new CEO effective November 1, will be felt for a long time. HP’s decision to hire the German-born Apotheker, who is also the former CEO of SAP, is to put it politely a big “take that, Oracle!” Forget the surface smiles, behind the scenes Oracle and HP have their ears pinned back, teeth bared and swords sharpened as they gird for battle.

This was not the typical cross-competitive carping that vendors routinely spew to denigrate their rivals’ products and strategies. The issues between HP and Oracle are very personal and very deep. The verbal volleys Oracle CEO Larry Ellison lobbed at HP in recent weeks exposed the changing nature of this decades old alliance. It is morphing from a close, mutually beneficial collaboration to a head-on collision in several key product areas. Ellison’s words did more than just wound HP: they also opened up deep fissures in the relationship which are as big as the San Andreas Fault.

Ask any 10 qualified people to guess which of the major database platforms is the most secure and chances are at least half would say Oracle. That is incorrect.

The correct answer is Microsoft’s SQL Server. In fact, the Oracle database has recorded the most number of security vulnerabilities of any of the major database platforms over the last eight years.

This is not a subjective statement. The data comes directly from the National Institute of Standards and Technology.

Since 2002, Microsoft’s SQL Server has compiled an enviable record. It is the most secure of any of the major database platforms. SQL Server has recorded the fewest number of reported vulnerabilities — just 49 from 2002 through June 2010 — of any database. These statistics were compiled independently by the National Institute of Standards and Technology (NIST), the government agency that monitors security vulnerabilities by technology, vendor, and product (see Exhibit 1). So far in 2010, through June, SQL Server has a perfect record — no security bugs have been recorded by NIST CVE.

And SQL Server was the most secure database by a wide margin: Its closest competitor, MySQL (which was owned by Sun Microsystems until its January 2010 acquisition by Oracle) recorded 98 security flaws or twice as many as SQL Server.

By contrast, during the same eight-and-a-half year period spanning 2002 through June 2010, the NIST CVE recorded 321 security vulnerabilities associated with the Oracle database platform, the highest total of any major vendor. Oracle had more than six times as many reported security flaws as SQL Server during the same time span. NIST CVE statistics recorded 121 security-related issues for the IBM DB2 platform during the past eight-and-a-half years.

Solid security is an essential element for many mainstream line-of-business (LOB) applications, and a crucial cornerstone in the foundation of every organization’s network infrastructure. Databases are the information repositories for many organizations; they contain much of the sensitive corporate data and intellectual property. If database security is compromised, the entire business is potentially at risk.

SQL Server’s unmatched security record is no fluke. It is the direct result of significant Microsoft investment in its Trustworthy Computing Initiative, which the company launched in 2002. In January of that year, Microsoft took the step of halting all new code development for several months across its product lines to scrub the code base and make its products more secure.

The strategy is working. In the past 21 months since January 2009, Microsoft has issued only eight (8) SQL Server security-related alerts. To date in 2010 (January through June), there have been no SQL Server vulnerabilities recorded by Microsoft or NIST. Microsoft is the only database vendor with a spotless security record the first six months of 2010.

ITIC conducted an independent Web-based survey on SQL Server security that polled 400 companies worldwide during May and June 2010. The results of the ITIC 2010 SQL Server Security survey support the NIST CVE findings. Among the survey highlights:
• An 83% majority rated SQL Server security “excellent” or “very good” (see Exhibit 2, below).
• None of the 400 survey respondents gave SQL Server security a “poor” or “unsatisfactory” rating.
• A 97% majority of survey participants said they experienced no inherent security issues with SQL Server.
• Anecdotal data obtained during first-person customer interviews also elicited a very high level of satisfaction with the embedded security functions and capabilities of SQL Server 7, SQL Server 2000, SQL Server 2005, SQL Server 2008, and the newest SQL Server 2008 R2 release. In fact, database administrators, CIOs and CTOs interviewed by ITIC expressed their approbation with Microsoft’s ongoing initiatives to improve SQL Server’s overall security and functionality during the last decade starting with SQL Server 2000.

Strong security is a must for every organization irrespective of size or vertical industry. Databases are among the most crucial applications in the entire network infrastructure. Information in databases is the organization’s intellectual property and life blood.

Databases are essentially a company’s electronic filing system. The information contained in the database directly influences and impacts every aspect of the organization’s daily operations including relationships with customers, business partners, suppliers and its own internal end users. All of these users must have the ability to quickly, efficiently and securely locate and access data. The database platform must be secure. An insecure, porous database platform will almost certainly compromise business operations and by association, any firm that does business with it. Any lapses in database security, including deliberate internal and external hacks, inadvertent misconfiguration, or user errors can mean lost or damaged data, lost revenue, and damage to the company’s reputation, raising the potential for litigation and loss of business.

It’s also true that organizations bear at least 50 percent of the responsibility for keeping their databases and their entire network infrastructures secure. As the old proverb goes, “The chain is only as secure as its weakest link.” Even the strongest security can be undone or bypassed by user error, misconfiguration or weak computer security practices. No database or network is 100 percent hack-proof or impregnable.Organizations should consult with their vendors regarding any questions and concerns they may have about the security of ANY of their database platforms. They should also ensure they stay updated with the latest patches and install the necessary updates. Above all, bolster the inherent security of your databases with the appropriate third party security tools and applications. Make sure your organization strictly adheres to best computer security computing practices. At the end of the day only you can defend your data.

Registered ITIC site users can Email me at: ldidio@itic-corp.com for a copy of the full report.