PGSql/MySQL don't really offer concrete solutions to protect data - apart from common sense like patches, secure passwords, et al. Now look at offerings from the big co's.
You're comparing commercial databases favorably to Open Source databases on the grounds of security? This differs vastly from my experience. Oracle is an impenetrable mess:
- do or don't use TNSLSNR
- if you use TNSLSNR, do or do not secure it with password protection
- my experience with Oracle has been that port allocation is rather nondeterministic. I've attempted to perform identical installations several times and ended up with TNS and the databases on weird ports for reasons I can't explain.
- user management of oracle behaves differently on different platforms, i think. IIRC it integrates with NT credentials on Windows, and UNIX credentials for certain connection situations, but there's also a username/password file that controls who can connect
- you issue alter password commands in unquoted SQL. Because of this you don't get to use things like mixed case (?) or spaces or most punctuation characters
- but you CAN use quotes around the password, in which case it behaves sanely. I didn't even know this until I looked it up it's so uncommon.
- Oracle attempted to market Oracle 9 as "Unbreakable": http://news.cnet.com/8301-10784_3-5808928-7.html . They had enjoyed a pass from hackers since systems/network folks tend to bury the DB at the back of the architecture, rarely accessible on the public internet. After those shenanigans security minded DBAs had not the best time of their careers as they had dozens of security patches per quarter for a while.
Perhaps the commercial guys have security "features", such as row based security or encryption, that the free products don't have. While it's surely better to have those than not, I'm not convinced applying those proprietary features to an otherwise insecure design is satisfactory "defense in depth". You can, however, have sufficient defense in depth without those features.
Sarbanes Oxley isn't too bad: the crux of it is that you have to enumerate your controls and stick to them. I understand PCI compliance is another matter. I don't know much about it, though.
You're comparing commercial databases favorably to Open Source databases on the grounds of security? This differs vastly from my experience. Oracle is an impenetrable mess:
- do or don't use TNSLSNR
- if you use TNSLSNR, do or do not secure it with password protection
- my experience with Oracle has been that port allocation is rather nondeterministic. I've attempted to perform identical installations several times and ended up with TNS and the databases on weird ports for reasons I can't explain.
- user management of oracle behaves differently on different platforms, i think. IIRC it integrates with NT credentials on Windows, and UNIX credentials for certain connection situations, but there's also a username/password file that controls who can connect
- you issue alter password commands in unquoted SQL. Because of this you don't get to use things like mixed case (?) or spaces or most punctuation characters
- but you CAN use quotes around the password, in which case it behaves sanely. I didn't even know this until I looked it up it's so uncommon.
- Oracle attempted to market Oracle 9 as "Unbreakable": http://news.cnet.com/8301-10784_3-5808928-7.html . They had enjoyed a pass from hackers since systems/network folks tend to bury the DB at the back of the architecture, rarely accessible on the public internet. After those shenanigans security minded DBAs had not the best time of their careers as they had dozens of security patches per quarter for a while.
Perhaps the commercial guys have security "features", such as row based security or encryption, that the free products don't have. While it's surely better to have those than not, I'm not convinced applying those proprietary features to an otherwise insecure design is satisfactory "defense in depth". You can, however, have sufficient defense in depth without those features.
Sarbanes Oxley isn't too bad: the crux of it is that you have to enumerate your controls and stick to them. I understand PCI compliance is another matter. I don't know much about it, though.