Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Hacking Oracle with a coffee machine?"] [Next entry: "SQL Injection tools"]

An Oracle Security Survey by The IOUG and Oracle

I have been asked to promote the survey on the IOUG site by the IOUG and Oracle to ask customers for feedback on the security and vulnerability remediation procedures implemented by Oracle customers.

I would ask as many people as possible to spend some time to fill this survey in as it will help define feedback to the next Oracle Security Customer Advisory Council (SCAC). This survey should allow everyone to have their say to Oracle on subjects such as the CPU process, advisories and deployments. I have been made aware that quite a lot of people who care about patching and CPU's have taken part all ready. To be able to get a balanced view its important that as many other people as possible also take part and pass their views to Oracle / IOUG.

Let me simply quote from the survey site:

"This survey is conducted by IOUG and Oracle for the purpose of understanding security and vulnerability remediation procedures implemented by Oracle customers. The results of this survey will help identify relevant topics for joint security training activities, and also help IOUG¿s Security Special Interest Group formulate its feedback during Oracle¿s next Security Customer Advisory Council (SCAC). Customer feedback is extremely important and has previously resulted in Oracle¿s adoption of the Common Vulnerability Scoring System (CVSS) and other enhancements in the Critical Patch Update (CPU) documentation and release process."

To take the survey go to and register. This is simply deciding on a username and a password, no more. Then choose to take the "OSSA Security Survey II" survey. There is also a second one that has 20 pages and is much longer. The one I have been told to take is the 12 page one.

The survey is quite simple and includes 12 steps to complete, gathering details on all stages of CPU analysis, test, deployment, decisions, why you might apply a CPU (this is a good one), opinion on the CVSS, the CPU process and much much more.

It is everyones duty to feedback to Oracle on this as (OK, thats strong, but I listen to a lot of people on this one subject). Have your say, Oracle are not going to bite, they want this process to be one that helps and encourages customers to apply patches just as much as we do.

I feel strongly about this survey, if you can pass it on to others to complete, colleagues, forums, blogs etc, please do. Let's get an opinion of what needs to be better and lets get more people to apply CPU's.