[Previous entry: "Oracle Password Repository (OPR) has been update"] [Next entry: "Scarlet Pruitt's interview with Mary Ann Davidson is out"]
IDG were scheduled to interview Oracle's CSO
May 24th, 2005 by Pete
Post to del.icio.us
Post to Furl
I got an email from Scarlet Pruitt a few days ago to say she was scheduled to interview Oracle's Chief Security Officer (CSO) where she said that as I was interested in the area of Oracle security did I have any questions that might be relevant to her discussion. I made a suggestion to ask two questions as follows:
"o - Why is it that certain researchers (for instance Alex Kornbrust and Esteban Martínez Fayó - there are others) have lists in total of over 100 unfixed security bugs on their web sites - some of which were reported 21 months ago, also some of which are high risk to customers. Why does it take Oracle so long to fix security bugs.
o - Does she plan to release more helpful information with each quarterly patch scheduled release such as information to help customers decide whether they are at risk if they do not patch quickly. This could include detailed lists of which products are vulnerable - I.e. for CPU April 2005 - and you run version 8.1.7 you should patch only if you run OID and Oracle HTTP Server."
It will be interesting to see if she managed to do the interview and also what he answers might be.
