Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Password Repository (OPR) has been update"] [Next entry: "Scarlet Pruitt's interview with Mary Ann Davidson is out"]

IDG were scheduled to interview Oracle's CSO

I got an email from - (broken link) Scarlet Pruitt a few days ago to say she was scheduled to interview Oracle's Chief Security Officer (CSO) where she said that as I was interested in the area of Oracle security did I have any questions that might be relevant to her discussion. I made a suggestion to ask two questions as follows:

"o - Why is it that certain researchers (for instance Alex Kornbrust and Esteban Martínez Fayó - there are others) have lists in total of over 100 unfixed security bugs on their web sites - some of which were reported 21 months ago, also some of which are high risk to customers. Why does it take Oracle so long to fix security bugs.

o - Does she plan to release more helpful information with each quarterly patch scheduled release such as information to help customers decide whether they are at risk if they do not patch quickly. This could include detailed lists of which products are vulnerable - I.e. for CPU April 2005 - and you run version 8.1.7 you should patch only if you run OID and Oracle HTTP Server."

It will be interesting to see if she managed to do the interview and also what he answers might be.