Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • Development
    • Networking

    Fixing the Oracle Database Security Patching Process

    By
    Brian Prince
    -
    March 4, 2009
    Share
    Facebook
    Twitter
    Linkedin

      Last week, the Independent Oracle Users Group reported that most organizations are not keeping up-to-date with patches for the Oracle database. That news did not come as a surprise to most due to the challenges of testing patches.

      Still, with so many databases out-of-step with the latest patch, the findings pose a key question: What do we do about it?

      For its part, Oracle has reportedly committed to enhancing the CPU (Critical Patch Update) documentation to help customers determine what areas need to be tested in their environment prior to patch deployment. Company officials did not respond immediately to an inquiry about what would be added. However, bolstering the CPU documentation may be a good place to start.

      “Since the patches come out with minimal information about the actual vulnerabilities, and understandably so, it is very hard for an organization to understand the priority of patching and the risk involved in not patching,” said Slavik Markovich, CTO of Sentrigo, adding that organizations can obviously draw some conclusions from the CVSS score.

      Having a standard set of applications or scripts to test and validate a patch also helps when it comes time to assess the risk of patch deployment, and can possibly shorten the amount of time needed for testing, said Michelle Malcher, director of special interest groups for the IOUG.

      “There was also a recent article in the IOUG Select Journal by Arup Nanda, ‘DBA Best Practices from the Field,” that talked about having two Oracle Homes for the implementing of patches, which helps with recoverability as well as minimizing downtime for patching,” she added.

      Planning ahead and having good policies is also important. Enterprises should have a policy of identifying their most critical databases so they can be tested and patched first, Markovich said.

      Similarly, Imperva CTO Amichai Shulman said organizations need to incorporate patches into their standard application update cycles. For example, if an organization is planning to deploy a new version of an application in August and their quality assurance process starts in June, the organization should plan to incorporate the April patch as part of the August application update, Shulman said.

      However, many organizations lack a policy altogether when it comes to the Oracle updates. According to IOUG, 30 percent of the respondents said their organizations have no guidelines whatsoever regarding Oracle’s CPUs, and just 26 percent require that the updates be applied systematically across the entire environment when they are released by Oracle.

      “It’s one thing to have a policy saying, -We only install patches once a year, after each patch has been tested in QA for at least two months,'” Shulman said. “It’s a totally different thing to have no policy at all, which usually results in an organization delaying patch installations for extended periods of time or installing the wrong patches first.”

      When asked how quickly they apply CPUs, 30 percent reported they typically apply the patches before the next one is released. The next largest group-25 percent-indicated that they were typically three to six months behind. Eleven percent said they had never applied a CPU.

      For help understanding the vulnerabilities, administrators can turn to Oracle Metalink and look to independent sources for additional information.

      “In general, during the first few weeks after a critical patch is released, independent researchers publish full details about the vulnerabilities that have contributed to the patch,” Shulman noted. “Reading this information greatly helps security professionals to understand the vulnerabilities and potential workarounds … [S]ome database security experts understand how to read between the lines of the Oracle Risk Matrix released with a patch and are able to interpret and explain more precisely the risk associated to specific environments.”

      Brian Prince

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×