Sarbanes-Oxley doesnt apply to the UK either. Do you have a similar law? On Jan 15, 2008 12:36 PM, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote: > The article predates the CPU, and indeed the survey may well predate the > last one. > > I asked a similar question to a room full of apps dbas at UKOUG - though > to be fair I was talking about how to apply CPUs to EBS so it was a biased > audience. There were probably 75-100 people in the room (53 responded to the > questionnaire and you never get everyone). 1 person was up to date, at least > 2/3rd had never applied a CPU. Other people tend to find similar results. > > On the "we are not exposed to the internet" front, that has some merit but > then the vast majority of attacks are internal anyway. > > Niall > > > On Jan 15, 2008 5:12 PM, Paul Drake < bdbafh@xxxxxxxxx> wrote: > > > > > > > On Jan 15, 2008 10:42 AM, Taylor, Chris David < > > Chris.Taylor@xxxxxxxxxxxxxxx> wrote: > > > > > How many of you guys have seen this? > > > > > > > > > > > > > > > http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&source=NLT_PM&nlid=8 > > > > > > > > > > > > What are your thoughts? I know our organization falls into that > > > category but primarily because we aren't exposed to the outside world. We > > > don't have external applications so most times I believe that critical > > > patch > > > updates can be applied during a normal maintenance period. > > > > > > > > > > > > *chris* > > > > > Chris, > > > > The press release is located here: > > http://www.sentrigo.com/press_releases-newsid-39.htm > > > > and Pete Finnigan wrote about it here: > > http://www.petefinnigan.com/weblog/archives/00001141.htm > > > > Clearly, the company providing the figures has a self interest in having > > a market for its products and services (which is disclaimed at the bottom of > > the press release page). > > > > "When asked: "Have you installed *the latest* Oracle CPU?" – Just 31 > > people, or ten percent of the 305 respondents, reported that they applied > > the most recently issued Oracle CPU." > > > > I just downloaded "the latest" critical patch update this morning, as > > that is when it was released. I plan to apply it in a testing environment > > later this afternoon. > > Perhaps semantics matter here just a bit. > > > > Only 35 people in the survey replied yes to one of the questions. That's > > a fairly small sample, statistically speaking. If a dba only gathered > > (estimated) stats with a sample size of 32 blocks out of a table with say > > 32K blocks, I doubt that the stats would be very accurate. > > > > Would developers be inclined to apply critical patch updates to > > development servers (where there is no formal dba position)? I would think > > not. > > > > Are critical patch updates available for Oracle XE databases? No. > > > > Are some applications running on database versions or patchsets that do > > not have critical patch updates made available? Yes. (8.1.7.4 and > > 10.1.0.4 spring to mind.) > > > > Would a dba be concerned about remote vulnerabilities for databases that > > support only connections from application servers that are secured? Probably > > not. > > > > I'm skeptical that the results are representative and are useful for > > anything other than stirring discussion (and marketing). > > > > Paul > > > > > > > > > > > -- > Niall Litchfield > Oracle DBA > http://www.orawin.info -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.'