Today Sentrigo have released a short press statement titled Survey of Oracle Database Professionals Reveals Most Do Not Apply Security Patches that discusses their findings over the last few months of taking a poll at various Oracle conferences and user groups. The results are shocking:
"This survey scares the heck out of me," said Mike Rothman, president and principal analyst, Security Incite. "The database is where most of an organization's critical and regulated data resides and if it's not patched in a timely fashion, organizations are asking for trouble."
But from my perspective not shocking as I talk to lots of my own customers (usually the discussion comes around to patching and CPU's) and also lots of Oracle's customers at various conferences and user groups that i attend. The recent round table at the UKOUG spent most of the time discussing the same subject and the feeling there was the same, that only a very small percentage of people install a CPU within the quarter (perhaps 1 - 5%), a slightly larger percentage do apply CPU's but usually not within the quarter. The worst figure is that around 80% never apply a CPU at all, although in my experience I come across a strange phenomina in this area that i find databases where a CPU has been applied but its perhaps 2 years old. This indicates to me that there was some effort in this area but then the company "gave up".
Sentrigo found that 10% of respondents had applied the latest CPU. There is some lag here though in that this could span two quarters so the figure may be worse. Then they found that 67.5 respondents had never applied a CPU.
There are companies out there who buck the trend (you know who you are!) and do apply CPU's consistently and to large numbers of databases successfuly and within around one quarter. It is possible and it can be done reliably.
I am starting to get the impression from talking to a lot of people that the issue has become psycological, a lot of companies beleive its difficult, that it will fail and that everything in the organisation needs to be regerssion tested. Remember that Oracle do re-release patches after a lot of feedback from customer applications and they do fix bugs found.
Patching should be easier (physically and on the mind!), afterall most people let Windows download and update automatically (Please don't take that as an indication that I think Oracle databases can be patched authomatically like Windows - I don't!) but the process can become easier.
As Slavik said, tools like Sentrigo's Hedgehog can provide an additional layer of security until you patch or for un-supported databases.
There has been 3 Comments posted on this article