Oracle DBAs: To what do you attribute problems with Oracle security?
a.) poorly designed software
b.) failure to apply patches and maintain software
c.) lack of financial resources
d.) all of the above
This question has recently made a small stir in the blogosphere, and not everyone can agree on an answer.
Bex Huff, in his “technology, lifehacks, and all that good stuff” blog, says: “Unlike James McGovern, I don’t believe security problems are entirely due to bad software or clueless developers… I’d argue most security problems are due to improperly configured and improperly maintained software. However, I also believe that blaming the implementation team is a cop-out. Instead, developers need to realize that security is a process, not a product.”
Huff goes on to highlight what he sees as the critical process of Oracle security: applying patches. He doesn’t seem to understand why fewer than 20% of Oracle customers apply their rolling security patches.
In his blog “Enterprise Architecture: from Incite comes Insight,” James McGovern says he has the answer: Applying patches is costly. And, he says, it’s not all the fault of the user: “Can we acknowledge that the patch existed because the base software wasn’t written with security in mind in the first place?”
In McGovern’s later blog post, “If software vendors really cared about security,” he outlines some questions for enterprise companies to ask vendors before purchasing software. For example: what features does the product have that helps ensure it’s designed securely?
So, yes, the best and most practical answer is probably “d.” But do you see any of these factors as having more of an impact? Do you think either Huff or McGovern has a better understanding of the issue?