RE: Latest IOUG Security Report Raises Red Flags on Database Security
- From: "Matthew Zito" <mzito@xxxxxxxxxxx>
- To: <dreveewee@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 13 Nov 2009 10:42:49 -0500
Its worth noting that while vendors like Microsoft have attempted to make
patching less complicated, Oracle has only succeeded in making it more complex
over time. PSUs are clearly designed to model the Microsoft "cumulative
update" strategy they have for SQL server and other products, but instead have
just created yet another patching approach, requiring a new version of OPatch,
and offering a whole slew of complexity.
We see that more and more organizations are being forced to apply CPUs by
auditors and security teams, and a couple that are making the CPU vs. PSU
decision. Over time, Oracle is going to make it more and more encouraged to
apply CPUs or PSUs, until at some point I wouldn't be surprised if it's near
mandatory. Oracle is also using this pressure to apply the patches to
encourage people to upgrade - we have a lot of customers that recently brought
everything up to 9.2.0.8 or 10.2.0.4 because Oracle stopped making CPUs
available for any earlier release.
It's a vicious cycle - Oracle makes patching really complicated, attempts to
simplify it, makes it worse, then forces people to upgrade in order to get the
patches they're being told they have to apply, and then Oracle tells people
they'll happily sell them a product that will help fix the thing Oracle made
complicated.
Thanks,
Matt
(Shameless plug and disclosure: My company, GridApp, of which I am one of the
founders, makes a database automation software package that, among other
things, supplants OEM provisioning pack for patching and provisioning, and does
so quite nicely.
http://www.gridapp.com/products/patching.php
Back to offering legit content.)
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx on behalf of Andre van Winssen
Sent: Fri 11/13/2009 3:03 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Latest IOUG Security Report Raises Red Flags on Database Security
see
http://www.oracle.com/newsletters/information-indepth/database-insider/nov-09/ioug.html?msgid=8308418&eid=3914466482&lid=1
<quote>
"But there is good news, too. Moving to an automated environment addresses
burgeoning security and compliance requirements while containing costs.
Those companies that have employed automated security tools and
approaches-which demand little or no time from administrators or other IT
personnel-have been able to maintain and expand robust security practices
(particularly in situations where critical data is susceptible to exposure)
and achieve regulatory compliance."
</quote>
so this is a plee for patch automation.
I still don't understand why oracle lets you pay for automating patching of
THEIR own security bugs, i.e. because you would have to buy their Oracle
Enterprise Manager Provisioning and Patch Automation Pack
(http://www.oracle.com/technology/products/oem/pdf/provpack_db_ds.pdf<http://www.oracle.com/technology/products/oem/pdf/provpack_db_ds.pdf>)
. Think about the impact of the last Oracle Critical Patch Update Advisory -
October 2009 on
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html#AppendixDBwhich
had 3 times Base Score
*10* for the database, the most severe classification I have seen sofar.
Imagine an enterprise with hunderds or thousends of databases and only a
couple of tens of human dba's.
My point is: oracle should provide mass patching tools for free, they owe us
!
Regards,
Andre
Other related posts:
