Page 3

The fact of the matter, though, is that Oracle has five product stacks, with all major platforms. Thats a lot—between 30 million to 40 million lines—of code to test, cross-product. Oracle doesnt want to ship patches that will break production databases. Hence, the lengthy gaps. Given the number of products Oracle has acquired on the buying spree that started with PeopleSoft and most recently encompassed Siebel, its hard to imagine it will succeed in cutting the time between flaw discovery and patch release. And what will Project Fusion do to the code set? Its meant to be a brand-new rearchitecting of the way Oracles applications work, new from the ground up, using the best of the Siebel, PeopleSoft, Oracle, J.D. Edwards and all the smaller acquisitions products. Dan Downing, vice president of testing services at business applications testing, hosting and managing company Mentora, said that could have good and bad points. "On one hand, thats a wonderful thing, because it will mean Oracle doesnt have to patch up old sins," he said. "Software architectures get leaky after awhile. "But from a practical perspective, it means entering a whole new evolutionary cycle of a chunk of software that initially will be immature, and there will be lots of problems with it before it matures." But given the feedback from customers on this issue, Oracle is still dead set on improving both patch turnaround time and patch quality, according to Darius Wiles, senior manager of Oracle Security Alerts. "Obviously its something that concerns us and something we plan to improve," he said. "[But] if a customer cant apply a patch, they wont phone the press, but its their No. 1 concern. They want to make sure the patch will work the first time. If you ask them, theyll say their No. 1 complaint is to improve the quality of patches." But patch quality makes for extended testing time, meaning that it makes it still tougher to shorten the time to patch delivery. "Obviously we want to have our cake and eat it too," Wiles said. "Were looking at internal processes. For nonsecurity bug processing, we want to streamline that and get owners assigned to [issues] more quickly, and make sure developers [assigned] to do fixes find out about it as quickly as possible, and make sure resources are available to do that fix." So where does all this leave customers as they brace for the coming CPU and the coming headlines? With this knowledge: The number of vulnerabilities security researchers report and that end up in headlines is largely composed of false positives, so dont take the number to heart. Do bear in mind that there will be a kernel of truth—i.e., true positives—at the heart of security researchers reports. After all, Oracle isnt alone in dealing with a massive code set that has flaws. Any massive code set does. But going by a day spent at Oracle headquarters, the takeaway is that Oracle is taking customers complaints to heart: Its taking the positives seriously, is battling to reduce the time to patch delivery and is trying to do so while improving patch quality. And its doing all this not because of security researchers and negative headlines, but because of customer feedback. So for those customers who are providing that feedback, keep it up. For those who arent, it wouldnt hurt to start. Check out eWEEK.coms for the latest database news, reviews and analysis.