With the recent announcement of its Critical Patch Updates strategy, Oracle Corp., like rival software developers, is striving to strike a balance between providing customers with crucial software fixes and making sure the patches have been properly tested. Before announcing her companys patch strategy two weeks ago, Oracle Chief Security Officer Mary Ann Davidson spoke with eWEEK Senior Writer Brian Fonseca to share her thoughts on the types of security threats of most concern to her database customers. The following are excerpts.
How did Oracle decide on which dates to offer its new quarterly update process, and why institute a “cumulative” approach?
Were going to make it as painless as possible, so we picked the dates based on trying to optimize around most peoples calendars, such as [avoiding] blackout periods. If its applicable and there are multiple security issues that affect different products, all those patches for each product family all come out at the same time. That way, you dont have to take your system down this month for the database, and next month for the Application Server. Customers say theyll just have a meltdown to do this once a month, so once a quarter seemed something they could live with.
What is the criteria for the unexpected security alert to appear?
There perhaps still may be occasions where we will do traditional security alerts but only in cases of highly security issues if theres a patch available. Generally speaking, were going to try to adhere to regular schedules. Its better for us and better for customers.
What other types of ways can you help users protect themselves and be more patch-responsive?
Well send out reminders. As part of this effort, we are looking at how can we provide better information to customers, which includes which patches do I apply first, be it a database or application server, and to try and anticipate questions customers will ask us and provide FAQs to deliverables. What you dont want to do is have people call you for information you shouldve had in the first place.
How do you respond to criticism from the security research community that Oracle has lagged in rolling out patches fast enough?
We always try to fix these as quickly as possible. From a researchers standpoint, their definition is “I told you about [a vulnerability] on Tuesday, and you should have a patch ready in two days.” But from a customer standpoint, that doesnt solve their problem either from our perspective. Customers are not running on the latest product versions, so you have to make sure that back-ports happen. A customers problem isnt fixed until they have something in their hands that has the version theyre running on, and in order to apply it, its not going to break what they have installed. We all want to fix things faster, but we also need to make sure [that] when we get fixes out there to the customer, the impact is minimized.
Third Parties Cant Help
New, small, third-party database security vendors are trying to convince customers that additional muscle is needed to secure their databases. Do you agree?
Theres a lot that goes into phases of securing your database, like good testing and instructive testing. Thats something a third party cannot help you with. Its our code. If we cant do that, theres nothing a third-party database vendor can help you with. Secondly, in terms of the [databases] security features and functions, its our product, and we feel we do a better job with our customers. We dont lose business on security. We have features they dont have, more granular access control and more granular auditing. Weve spent millions having other people validating weve done our jobs properly. In general, thats an achievable hurdle for both large and small vendors.
What are some of your customers biggest concerns for database security?
A number of companies feel uncomfortable with the thought that “I cant trust my internal users.” I think a lot of [fears] are driven by regulatory compliance, in a way forcing them to do good things they may have not done before. I have had discussions with customers that are on products that have not been supported for 10 years, and they never applied patches. Now they want you do to security analysis to tell them if theyre at risk. Particularly, these seem to be people running mission-critical systems. I think the assumption is that nothing bad happened and nothing ever will.
In general, have large-scale database and software vendors taken steps to better secure their users systems?
[For] the industry as a whole, there are things we need to do better. I want to make it as easy as possible to use and operate Oracle as securely as possible. What you want to do is make it easy for customers to say, “Yes, I know what my risk is, I know where the patch is, and I can apply this patch” if they want. People will make business decisions on whether [they] want to apply this patch or not.