[Previous entry: "Truncating the audit trail"] [Next entry: "The SANS S.C.O.R.E. Oracle security checklist has been updated"]
Arup Nanda is interviewed about the Oracle security patch nightmare
September 22nd, 2004 by Pete
Post to del.icio.us
Post to Furl
I just came across an interview by Robert Westervelt a news writer for SearchOracle.com that was written yesterday 21-09-04. The article is here. Arup is a very well known Oracle security expert and has written an excellent book "Oracle privacy security auditing" published by Rampant press which is all about getting an Oracle database to comply with the HIPAA, SO and GLB acts in the USA. The book is very well written and covers good ground. I plan to review it in the near future here. Arup is interviewed about the issues with the first of the new monthly patch releases from Oracle, the infamous alert #68. His concerns centre on the fact that Oracle have released very little information about the large number of security fixes this patch addresses and the fact that this makes it hard for customers to know which functions of Oracle need patching.
I agree with Arups concerns whole heartedly. I know now that a lot of the actual vulnerabilities are described in much more detail on the researcher’s sites who found the issues. Take a look for instance at the extra information detailed on my alerts page for the bugs I found and those Alex Kornbrust found.
I can also only agree with Arup that I hope Oracle provide better information on future alerts so that DBA's can understand the risks of applying or not immediately applying the patches.
