Most Oracle database shops don't mandate use of security patches, survey says
Oracle, IOUG find that only 32% of surveyed users require patching of all or some systems
Computerworld - A continuing lack of corporate mandates to quickly install Oracle Corp.'s security patches may be leaving many Oracle database installations exposed to vulnerabilities for extended periods of time, according to survey results released on Wednesday.
In a pair of online surveys that were jointly conducted between May and August of last year by the Independent Oracle Users Group (IOUG) and Oracle, only 26% of the 150-plus respondents said that their companies require the software vendor's quarterly patch updates to be applied on all systems as soon as they're released.
Another 6% said they're required to install Oracle's Critical Patch Updates (CPU) on critical systems only, the IOUG and Oracle wrote in a report. Meanwhile, 30% said their companies didn't have any specific policies in regards to Oracle's patches, while 32% said their policies required database administrators to do either risk or cost-benefit analyses in order to justify the installation of patches in production databases.
In addition, the survey results showed that most of the respondents were months or even more than a year behind Oracle's patch releases. Only 30% said they typically installed patches before the vendor released its next CPU, according to the report. Twenty-five percent said they were one cycle, or three to six months, behind in installing the patches, while 26% said they were two to four cycles behind. Another 11% said they hadn't installed any of Oracle's patch updates on their systems.
Oracle, which initiated its quarterly patching schedule in early 2005, typically issues dozens of patches across its entire product suite as part of the updates. But applying patches to production databases is a complex and time-consuming task that can require months of labor and significant system downtime, leaving many companies slow to install the updates or reluctant to do so at all.
While the new survey results are likely to sound some alarms from an IT security standpoint, they're actually better than the ones contained in a report released early last year by Sentrigo Inc., a vendor of database security tools in San Mateo, Calif. Sentrigo reported that more than two-thirds of the Oracle DBAs it polled over a six-month period — 206 out of 305 — said they had never installed an Oracle patch on their database servers, no matter how critical the vulnerabilities that were being patched.
Nonetheless, the apparent fact that many companies haven't even set policies for dealing with Oracle's CPU is somewhat startling, especially considering that databases often are the most valuable corporate assets within businesses, said Ian Abramson, president of the IOUG.
"I think probably the feeling in those organizations is that since databases are a little more isolated than the desktop, there's less of a [security] concern," he said. "A lot of people feel they're more secure because they're behind firewalls and think they have good perimeter security." That probably explains why some of the companies surveyed by the IOUG and Oracle said they had formal patching policies for their Windows systems but not their Oracle databases, added Abramson, who is director of the enterprise data group at Thoughtcorp, a consulting and IT services firm in Toronto.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Government Agency Webifies Outdated COBOL Applications Let this CTO tell you how his agency converted 1980s-era green screens into an e-filing portal for the 100,000 cases handled each year...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Applications White Papers | Webcasts