We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security

Peter Schooff

DBAs Mixed on Oracle's Security Efforts

Vote 0 Votes

With a week for DBAs to get accustomed to Oracle’s October patch update and revamped bulletin, so far the reviews have been mixed. In its most recent quarterly update, Oracle fixed 101 security flaws and included an updated bulletin that provides more details on the flaws being fixed.

In an article at SearchSecurity.com, DBAs discussed their impressions of Oracle’s updated approach. Some said the more detailed bulletin made deploying patches easier, while others said it made little difference. Also, half of those interviewed said that Oracle still had a way to go to improve their security process.

Many complained about how long it took for Oracle to issue the patches. Arup Nanda, a database engineer for Starwood Hotels and Resorts, said, "Some of the vulnerabilities are so severe that one would expect a resolution in a matter of days, yet they took months, and only after exploits had been lingering around the Internet for a while. So yes, Oracle should beef up their process."

Nanda was also not impressed with the new bulletin format, while Chris Ruel, an Oracle DBA with Perpetual Technologies Inc., added that he couldn’t tell the difference between this bulletin and the last one.

"Typically I don't pay much attention to the bulletins," he said. "The patches come out and I'm simply required to apply them. I read the technical details on how to apply it, but to me, they are security flaws that simply must be patched, so I don't get as mired in all the flaw details. I couldn't have told you it was any different than last time."

Other DBAs said they did notice the more informative bulletins, and found them helpful. Brian Peasland, a DBA working as a contractor with the U.S. Geological Survey, said, "This part of the bulletin is much clearer and makes it easier for me to quickly locate the patch for my specific version and platform. Prior to this bulletin, one had to click on another Metalink note and then make one more click just to find the patch number to download. My opinion is that the October 2006 CPU bulletin is much cleaner than previous ones."

Jon Emmons, an Oracle database consultant and blogger of Life After Coffee, said, “Perhaps the most valuable new feature in the CPU bulletin is the executive summaries," Emmons said in an email interview. "These bulleted lists give a great high-level summary. At one point or another we've all had to explain to our boss why we need to apply these patches and now Oracle has given us the words to do it with."

The DBA did say that it’s important that the CPU clearly identifies the nature of the flaws and the specific products affected. Also, the harder it is to understand the bulletin, the longer it takes to start the deployment. While the actual patching process isn’t all that time consuming (usually only about 30 minutes), it’s the testing, and scheduling the downtime, that’s much more time intensive. All the more reason Oracle needs to be clear, concise, and timely with in order to properly serve a company’s most valuable informational asset, its data.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives