Yesterday Oracle has released a new document "Security Vulnerability Fixing Policy and Process". This is significant as it sets out Oracle's stall on the process that they will use to fix security bugs and release patches. Read this document, it is enlightening. The document covers the critical patch updates, cumulative patches verses one-off patches, and the order of fixing security bugs - there is an example of product and patch release cycles with a diagram. The paper goes on to talk about critical patch update documentation and finally about the process for crediting researchers who find the security bugs. This is where Oracle is clear. If a researcher works with Oracle and does not publish the vulnerability before the fix is available and does not publish exact details of the bugs or exploits or proof of concepts then they will be credited. The paper goes on to justify the reasons for this new stance. Also employees or contractors will not be credited. This paper is worth reading for anyone who wants to understand Oracle's thoughts on fixing security bugs.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Mary Ann speaks about security strategy"] [Next entry: "Why Protect Fort Knox Borders But Ignore The Gold?"]
November 2005
- UKOUG so far - 11/01/2005 by 11/01/2005
- Oracle Express - will we get security patches? - I truly hope so - 11/02/2005 by 11/02/2005
- Oracle has released a new security vulnerability fixing policy and process - 11/03/2005 by 11/03/2005
- Why Protect Fort Knox Borders But Ignore The Gold? - 11/04/2005 by 11/04/2005
- Oracle alerts customers to the so called voyager worm - 11/06/2005 by 11/06/2005
- Oracle adds fine-grain features to ID security - 11/07/2005 by 11/07/2005
- Bruce Schneier blogs about the Oracle password weakness paper - 11/08/2005 by 11/08/2005
- More than 275 new security bugs found last week in the Oracle 10g database - 11/09/2005 by 11/09/2005
- Commercial rainbow cracking - 11/11/2005 by 11/11/2005
- DBMS_ASSERT can be used to protect against SQL Injection - 11/12/2005 by 11/12/2005
- Problems with the October CPU discovered - 11/14/2005 by 11/14/2005
- Oracle responds to the password algorithm weakness paper - 11/15/2005 by 11/15/2005
- OracleXE beta 2 released - 11/17/2005 by 11/17/2005
- Listener password management features - 11/18/2005 by 11/18/2005
- A new Oracle security checklist paper from Oracle - 11/19/2005 by 11/19/2005
- Two new speaking events added to my site - 11/20/2005 by 11/20/2005
- Happy 20th birthday Windows - 11/22/2005 by 11/22/2005
- Oracle Database security checklist from Oracle - 11/24/2005 by 11/24/2005
- 0rm has updated orabf the Oracle password cracker - 11/25/2005 by 11/25/2005
Archives
Syndication
Powered by gm-rss 2.0.0
