Eye on Oracle

Apr 1 2008   4:13PM GMT

The Oracle security debate

Shayna Garlick Shayna Garlick Profile: Shayna Garlick

Oracle DBAs:  To what do you attribute problems with Oracle security?

a.) poorly designed software
b.) failure to apply  patches and maintain software
c.) lack of financial resources
d.) all of the above

This question has recently made a small stir in the blogosphere, and not everyone can agree on an answer.

Bex Huff, in his “technology, lifehacks, and all that good stuff” blog, says: “Unlike James McGovern, I don’t believe security problems are entirely due to bad software or clueless developers… I’d argue most security problems are due to improperly configured and improperly maintained software. However, I also believe that blaming the implementation team is a cop-out. Instead, developers need to realize that security is a process, not a product.”

Huff goes on to highlight what he sees as the critical process of Oracle security: applying patches. He doesn’t seem to understand why fewer than 20% of Oracle customers apply their rolling security patches.

In his blog “Enterprise Architecture: from Incite comes Insight,” James McGovern says he has the answer: Applying patches is costly. And, he says, it’s not all the fault of the user: “Can we acknowledge that the patch existed because the base software wasn’t written with security in mind in the first place?”

In McGovern’s later blog post, “If software vendors really cared about security,” he outlines some questions for enterprise companies to ask vendors before purchasing software. For example: what features does the product have that helps ensure it’s designed securely?

So, yes, the best and most practical answer is probably “d.” But do you see any of these factors as having more of an impact? Do you think either Huff or McGovern has a better understanding of the issue?

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Seth Miller
    It's the same problem we have with trying convince clients to properly swap their tapes out every night to maintain a current backup of the system. If they have gone two, three or even five years without data loss, they no longer see the need to maintain their backups. I have been trying to convince management that we are seriously lacking security on our servers, but they won't allocate resources to patch the databases because there is no immediate need. It's sad to say but most places won't acknowledge their lack of security until it has already been compromised.
    0 pointsBadges:
  • Sukaina Anis
    Why are patches a must for DBAs? Can't the database company take the responsilbility of applying patches whenever needed? Is it not that companies developing softwares for databases should have initially taken care of securing the database? If a user needs a good database, he needs to buy it from a good database company, and the company to earn more does not gives good security options with the bundle, later sells it as patches. If the user does not uses it he suffers or else he has to empty more from his pocket. From these given options: a.) poorly designed software b.) failure to apply patches and maintain software c.) lack of financial resources d.) all of the above I will strongly select (d). Regards,
    0 pointsBadges:
  • Zahid Shaikh
    I think financial constraints should not be an excuse for database security. It is a DBA's responsibility to keep security patches up to date. He needs to make sure that the organization is aware of security risks and potential risks of data loss and hacking. However, I like the idea of by Mr. Seth that software companies should take care of these security patches or any other updates to the software becuase it is very time consuming to apply these patches if you are behind with your patches.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: