With the recent announcement of its Critical Patch Updates strategy, Oracle Corp., like rival software developers, is striving to strike a balance between providing customers with crucial software fixes and making sure the patches have been properly tested. Before announcing her companys patch strategy two weeks ago, Oracle Chief Security Officer Mary Ann Davidson spoke with eWEEK Senior Writer Brian Fonseca to share her thoughts on the types of security threats of most concern to her database customers. The following are excerpts.
How did Oracle decide on which dates to offer its new quarterly update process, and why institute a "cumulative" approach?
Were going to make it as painless as possible, so we picked the dates based on trying to optimize around most peoples calendars, such as [avoiding] blackout periods. If its applicable and there are multiple security issues that affect different products, all those patches for each product family all come out at the same time. That way, you dont have to take your system down this month for the database, and next month for the Application Server. Customers say theyll just have a meltdown to do this once a month, so once a quarter seemed something they could live with.
What is the criteria for the unexpected security alert to appear?
There perhaps still may be occasions where we will do traditional security alerts but only in cases of highly security issues if theres a patch available. Generally speaking, were going to try to adhere to regular schedules. Its better for us and better for customers.
What other types of ways can you help users protect themselves and be more patch-responsive?
Well send out reminders. As part of this effort, we are looking at how can we provide better information to customers, which includes which patches do I apply first, be it a database or application server, and to try and anticipate questions customers will ask us and provide FAQs to deliverables. What you dont want to do is have people call you for information you shouldve had in the first place.
How do you respond to criticism from the security research community that Oracle has lagged in rolling out patches fast enough?
We always try to fix these as quickly as possible. From a researchers standpoint, their definition is "I told you about [a vulnerability] on Tuesday, and you should have a patch ready in two days." But from a customer standpoint, that doesnt solve their problem either from our perspective. Customers are not running on the latest product versions, so you have to make sure that back-ports happen. A customers problem isnt fixed until they have something in their hands that has the version theyre running on, and in order to apply it, its not going to break what they have installed. We all want to fix things faster, but we also need to make sure [that] when we get fixes out there to the customer, the impact is minimized.