SQL Server 2005 implements SDL Microsoft chose to use SQL Server as the first product to commit to the SDL process, starting with SQL Server 2000 SP3 released in 2003 and continuing with SQL Server 2005. The results, as measured by the CVE entries of Microsoft’s closest competitors have been impressive. While Oracle has shown steady year-on-year growth in registered defects, the National Vulnerability Database reports zero CVEs for Microsoft SQL Server in both 2005 and 2006.

Secure by Design. SQL Server has made many changes to bake security into the database. SQL Server implemented some of the outcomes of Threat Modeling exercises, such as reducing the risk of unintended database access by requiring administrators to explicitly enable ownership chaining across database boundaries or implementing a granular trust model so well-written applications can avoid the security problem of hardcoding usernames and passwords in application code.

Secure by Default. Consistent with reducing attack surfaces, SQL Server disables many options by default. Customers installing SQL Server out of the box start with a secure configuration where they have to explicitly enable required services. For instance, customers must enable features that are turned off by default, such as Windows command shells, dbmail and SQL browser service. The chance of an attacker taking advantage of inadvertently open external connections is significantly reduced.

Secure by Deployment. Microsoft has implemented features in SQL Server that make it a more secure database product for customers to configure. ESG found the use of authenticated identity to be particularly useful in managing permissions for database actions. In fact, users need specific privileges to even be able to have visibility into metadata that they do not own.