Most Oracle database shops don't mandate security patch use

Most Oracle database shops don't mandate security patch use

Oracle, IOUG find that only 32 percent of surveyed users require patching of all or some systems

"I think probably the feeling in those organizations is that since databases are a little more isolated than the desktop, there's less of a [security] concern," he said. "A lot of people feel they're more secure because they're behind firewalls and think they have good perimeter security." That probably explains why some of the companies surveyed by the IOUG and Oracle said they had formal patching policies for their Windows systems but not their Oracle databases, added Abramson, who is director of the enterprise data group at Thoughtcorp, a consulting and IT services firm.

Amichai Shulman, chief technology officer at database security vendor Imperva, also expressed surprise about the lack of Oracle patching policies at some companies. "It's one thing to have a policy saying you don't have to patch each and every database," he noted. "It's a different thing to have no policy at all."

By the same token, Shulman also was surprised that the number of surveyed companies with policies mandating the immediate installation of Oracle's patches was as high as it was. DBAs often need more than three months to test the patches thoroughly to make sure they won't disrupt production databases, he said. And companies then need to schedule times when they can bring down servers that are running business-critical applications in order to install the patches.

"It would be irresponsible for a company to deploy a patch in production without first running it through quality assurance," Shulman said. He also recommended that users do a risk analysis of the security vulnerabilities being patched by Oracle so they can decide which of their databases should be updated first.

According to Abramson, the survey results also show that the availability of better tools or documentation for testing Oracle's patches could have an impact on how quickly companies apply them. "Understanding what is contained in these patches is really the challenge for DBAs today," he said. "It's important for administrators to understand the context in which they're presented." Otherwise, he added, the DBAs might have trouble determining how relevant individual patches are to their IT environments.

Shulman said the information that Oracle releases about its patches sometimes simply isn't sufficient for DBAs to make quick decisions about deployments. Oracle has made some improvements in that area, he said, but he still thinks that its patch documentation doesn't provide the same level of information as that of other vendors, such as Microsoft Corp.

Oracle didn't immediately respond to a request for comment about the new survey results. But a posting on the company's Global Product Security Blog said that as a result of the surveys, Oracle will "explore ways" to enhance its CPU documentation to help make it easier and faster for customers to test patches.

The blog post, written by Eric Maurice, Oracle's director of software security assurance, also noted that the vendor and the IOUG would work together on efforts to promote the broader adoption of formal policies for deploying patches.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Oraclesecurity patch


Show Comments