Update: Two-thirds of Oracle DBAs don't apply security patches
Complexity of task makes admins not want to bother
Computerworld - Oracle Corp. issues dozens of security patches every quarter, but that doesn't mean database administrators are necessarily implementing them.
In fact, a good two-thirds of all Oracle DBAs appear not to be installing Oracle's security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo Inc., a Woburn, Mass.-based vendor of database security products.
The results are "surprising, and to be candid, quite frightening," said Mike Rothman, president of consulting firm Security Incite in Atlanta.
Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008. The company basically asked the administrators two questions: whether they had installed the latest Oracle patches, and whether they had ever installed any of Oracle's security updates.
The results, which come even as Oracle is scheduled to release its next batch of quarterly Critical Patch Updates tomorrow, showed that 206 out of the 305 surveyed said they had never applied any Oracle CPUs. Just 31 said they had installed the most recent security update from the company. In total, only one-third said they had ever installed an Oracle CPU.In an e-mailed statement, Oracle said the company "encourages organizations [to] apply Critical Patch Updates in a timely fashion to maintain their security posture."
"Critical Patch Updates for the Oracle Database are cumulative for the patch set to which they apply, making it easier for customers to keep their systems current with the latest security patch updates," the company said.
The results support what Sentrigo has been hearing anecdotally for sometime, said Slavik Markovich, chief technology officer at Sentrigo. "Some database administrators don't even monitor for Oracle's CPUs. They don't even know when the CPUs come out," he said. "Sometimes, even if their security department tells them to deploy it, they just ignore it," he said.
There are two major reasons for the trend, Markovich said. The first and most important is that most DBAs fear the consequences of installing a patch on a running database, he said.
"To apply the CPU, you need to change the binaries of the database," he said. "You change the database behavior in some ways that may affect application performance," he said. So applying security patches to a database typically involves testing them against the applications that feed off the database, he said. "This is a very long and very hard process to do, especially if you are in enterprises with a large number of databases and applications," he said. Applying these patches means months of labor and sometimes significant downtime, both of which most companies can't afford, he said.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- Live Webcast 5 Steps to Assuring Quality of Experience In order to align monitoring and management practices with the true demands of the business, IT professionals must expand beyond traditional comfort zones...
- Live Webcast Master the Changing SAP Landscape with Performance Management SAP landscapes are not getting simpler. Gradually, business processes that used to be contained on a single SAP system now involve a range...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!