Q&A: Oracle exec says users get enough flaw info
The company's security unit chief defends limited disclosures, quarterly patching schedule
Computerworld - As senior director of security assurance at Oracle Corp., Duncan Harris is in charge of the company's vulnerability remediation processes. He also manages a team of "ethical hackers" at Oracle's Reading, England, software lab whose job is to find flaws in the vendor's products. Following Oracle's latest quarterly patch release this week (see "Oracle releases patches for 82 flaws"), Harris spoke with Computerworld about the company's patching policies and its relationship with the IT security community.
Oracle just announced patches for 82 vulnerabilities. Why so many? Oracle doesn't shy away from fixing flaws publicly through our Critical Patch Updates. We don't hide our internally discovered vulnerabilities. When we discover something internally, we still mention it in our Critical Patch Updates. Other vendors, as the security community knows, may be doing silent fixes. It is something we don't believe in. That is part of the explanation for the large number of vulnerabilities. Certainly, there is also much more attention being paid to Oracle for whatever reason.
Critics say Oracle doesn't share enough vulnerability information for users to make proper risk assessments. Why don't you disclose more details? As part of our exercise to work out with customers what the regular schedule for our patches should be, we talked to them about the level of information they required in order to understand sufficiently whether they were affected by a vulnerability and what the impact would be if the vulnerability was exploited. We listened very carefully to that, and we have come up with a system where we identify in risk matrices for every one of our product stacks the nature of each of the vulnerabilities that we fix within a quarterly patch update. We believe that it is sufficient information for our customers. Our advisories are for our customers' benefit. They are not for the benefit of the security community.
Are quarterly updates good enough for users? The comparison is quite clearly with Microsoft's monthly updates. You have to remember that Windows updates are clearly aimed at client machines. Oracle has client-side products, some of which are quite important, but our fundamental focus is on the server side. Comparing this to the monthly patching that Microsoft does is like comparing apples and oranges. It really is quite different to have a systems administrator patch a server-side system and a small client.
Why do you think the security community is so unhappy with Oracle? In terms of working with the security community, we work very well with those that are happy to abide by the security vulnerability
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts