Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new version of woraauthbf is available (The Oracle password cracker)"] [Next entry: "Presentation on using VPD in the real world available"]

IOUG Critical Patch Update Survey Results Are Out

I got an email last week from the IOUG to indicate that the long awaited results from the survey last year on CPU's are out. I promoted the survey a couple of times last year when it still had some time to run.

I am not going to go into detail on the results as they are contained in a 10 page pdf that you can download yourselves. Simply go to this link on the IOUG site and download the pdf from the link there.

It is interesting that the survey matches the discussions I have quite often with clients, people at conferences, SIG's and almost where-ever I go. People are always wanting views on CPU applications - or not! - the application that is. I always say two things. 1) CPU's are only part of the problem of securing an Oracle database - that is to be secure you cannot just apply a CPU, you must do all of the other work to secure the database, configuration, privileges, access, audit.... much, much more and 2) at the end of the day; taking out all of the issues, you can either apply a CPU or not, its simple. Well its simple to say but in practice, psycologically, reallity, its often hard to do for lots of reasons, mostly availability, performance, downtime, stability... This is one of the key conclusions found by the survey BUT I already new this. I also like the first conclusion and agree with it. If there was a way to make it more formal to apply patches then it would be better for security, but as discussed above it wouldnt secure the database (because security is not just patches) and also it would not fix the perception/reality of stability, availability etc. This is a very complex problem to fix; in part due to the complexity of the Oracle software, the large number of platforms, applications, configuration options....

The survey also showed that 30% of respondents patch within the quarter BUT 70% don't! We have seen a lot of improvement since the first security alerts 8 years ago but we still clearly have a long way to go to get people to patch in the quarter.

Good survey, good comments and conclusion and I think it reflects the reallity that I get to see and also that I am talked to about regularly.

Lets have another annually and lets see if we can get improvements.