Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 46 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » July 2006 » Oracle owns up to patching problems

[Previous entry: "Alex has an analysis of CPU July 2006 and also advisories"] [Next entry: "Oracle Patches 65 Vulnerabilities"]

Oracle owns up to patching problems

July 19th, 2006 by Pete


Oracle owns up to patching problems - By Bill Brenner, SearchSecurity.com

"Database giant Oracle Corp. has faced mounting criticism of its security patching process during the last two years.

Its quarterly Critical Patch Updates (CPUs) are typically followed by reports from security researchers of flaws not being fixed as advertised. The Redwood Shores, Calif.-based vendor has also been accused of sitting on vulnerabilities that are more than a year old, and of releasing patch bulletins that are hopelessly difficult to decipher. That criticism will likely continue after the next CPU is released July 18."


This is an interesting interview by Bill Brenner with Darius Wiles and John Heimann who are bith inextricably linked to the buidling, testing and releasing of patches. I thought some of the answers are weak and fluffy. For instance Darius says that they sometimes do not see issues that become later apparent in fixes when they are installed on customer platforms. Why would a customer platform cause a fix to become invalid? do Oracle not install from the same media as customers when testing? - probably not.

Also John suggests that the Oracle code is more complex than the shuttle, I would hope so, its a huge product and the shuttle is around 25 years old, technology has moved on apace.

There are some positive messages, the fact that Oracle is now ficused on standards, training, secure coding, use of tools such as Fortify, also that fact that they are now talking openly to Bill is a good sign that Oracle now recognise (publicly) that there are problems with the patch process, the pace of fix releases. I am also impressed that they are taking on board the issues around the CPU documentation and are considering releasing more details, the audiences and so on. lets see what improves.

Nice article!

July 2006
SMTWTFS
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!