|
17 January 2008
Many Oracle enterprises ignore its patches, says study
John Sterlicchi,
US bureau chief
Most database administrators do not apply the Critical Patch Updates
(CPUs) that Oracle issues on a quarterly basis, a new study finds.
The news comes in the same week as Oracle releases 27 fixes to
various products that include the Oracle Database, Application Server,
Collaborative Suite and E-Business Suite and Applications.
In the study, conducted by database security software firm Sentrigo,
found most companies are not taking advantage of Oracle CPUs in
a timely manner.
The study, which was conducted at US Oracle Users Group meetings,
collected responses from 305 database administrators, consultants
and developers from August 2007 to January 2008 across various cities
where users met.
Just 31 people, or 10% of the respondents, reported that they applied
what was then the most recently issued Oracle CPU and a whopping
206 out of 305, or 67.5%, said they had never applied any Oracle
CPUs.
Sentrigo chief technology officer Slavik Markovich said the results
were surprising to some and not to others.
“It is difficult to test and deploy updates without disrupting
systems,” he said, adding that the IT security guys may not
be quite aware of what is going on in the database side.
Markovich said he was under the impression that more people patch
at least once a year.
“It’s a lot of work not just to check the database
but you have to check the applications that are actually attached
to the database,” he said. “And this can take a lot
of time.”
Vice-president of marketing at the Woburn, MA-based company, Rani
Osnat said not applying any CPUs shows a lack of understanding at
least and a lack of action in terms of understanding what the database
vulnerabilities means and what kind of risk they pose. “I
think it has to be understood that patching is part of running a
database responsibly.”
However Paul Davie, founder of Oxford, UK-based database security
company Secerno, believes DBAs may believe that patching creates
more problems than it solves. “Patching security holes is
expensive; the database needs to be taken offline during the fixing
process, often rendering the heart of the business out of action
for a period time, and having an unknown impact on applications
etc. The other problem is the need to regression-test prior to patching,
to ensure the patch won’t break existing business processes.”
Sentrigo believes database security is simply not a major priority
among IT security folks. “Most IT security people are more
familiar with network security or operating systems,” Markovich
said. “Still not doing anything is not an option.”
Related articles from Infosecurity-magazine.com
Renault
Formula 1 deploys IRM to protect car designs (20 June 2007)
Oracle
rolls out biometric access controls (24 October 2005)
News index
Home | News | Features/Comment | Comment | Research | Editorial
Enewsletter | Webinars | Audio/Podcasts | Events | Recommended Links | Contact
Subscriptions | Magazine Registration | Related Publications | Forthcoming Features
Advertising Information
|
