Take The Oracle Security Survey

Do you use Stellent, or any Oracle technology? Then you should probably take the IOUG Oracle Security Survey:

http://survey.ioug.org/

Select the OSSA Security Survey, and let 'er rip! It's sponsored by Oracle and the Independent Oracle Users Group. The goal is to gather information about your security practices including general processes for vulnerability and patch management, Critical Patch Updates, and the like. IOUG will analyze the results, and issue recommendations to Oracle at Oracle's next Security Customer Advisory Council. IOUG has release a security podcast to explain more about the survey.

I was shocked to discover that fewer than 20% of Oracle customers admit to applying the rolling security patches that Oracle releases... yikes. Back when I was a developer, I always found it extremely frustrating that customers rarely applied patches to known security holes... CERT often says that 99% of security breaches are due to users not applying patches. In other words, 80% of Oracle customers choose to make themselves vulnerable to 99% of the attacks.

WHY???

Unlike James McGovern, I don't believe security problems are entirely due to bad software or clueless developers... I'd argue most security problems are due to improperly configured and improperly maintained software. However, I also believe that blaming the implementation team is a cop-out. Instead, developers need to realize that security is a process, not a product (hat tip Schneier).

Thus, the best thing a developer can do for security is focus on software that can effortlessly evolve to meet tomorrow's security challenges. If you want secure applications, first demand software that is effortless to patch and maintain. This includes software that can easily roll-back patches in case the security fix broke something important... Then fewer people would fear installing the patches, more would use the existing patches, and there would be significantly fewer breaches.

If software were easy to configure and maintain, then security would get better and better the longer you owned it... not to mention you'd have fewer bugs, and generally better software. Stable products are always more secure. Why? If the product is rock solid, with few bugs, then people are less risk-averse to applying critical patches. Better documentation helps as well, as do better patch tools...

With easy patching, easy maintainability, stable software, and a vigilant community, security is a natural by-product. Also, this helps security becomes less of a cost-center... easy patching and configuration is great for ROI, no matter what.

It Just Makes Sense©, so don't expect too many people to press for it any time soon...

Although relatively speaking, I'm pretty impressed with Oracle's patch technology. The new 11g database watches for errors, and can notify you about patches that might fix the problem. Likewise, the Content Management team has a pretty good patch process... unfortunately, it takes forever to get anything out to Metalink, so your best bet is to always contact support for the latest patches.

comments

Patches are not free

Bex,

I don't think anyone disagrees that patching is an important way to heal security vulnerabilities and most customers probably do have access to patches. However, the installation process to install the patches is not at all free, not even close. For companies that want stable infrastructures, the patches must be tested--even if they're only designed to fix a security issue, it is also possible that the patches break some other critical application function.

A friend that works at one large bank hired an additional full-time DBA when Oracle introduced their quarterly CPU patching program just to manage the testing and roll out of those patches to the bank's 1500+ Oracle databases. It takes them all 3 months to test and install the CPU patches. To "skip" the CPUs would be irresponsible to the bank's customers, so it's a cost they just had to take, not to mention the associated downtime for all the company's applications to install the patches since most if not all of the patches require some downtime. I'm not sure what the "rolling security patches" are unless you're just talking about the quarterly CPU. From a technical perspective, the term "rolling patches" in Oracle Database terms means that it can be installed while running (at least for clusters). The CPU patches I've seen cannot be installed as "rolling" patches.

Ending my rant now with a few conclusions:

  1. Of the 80% that don't install the patches, some don't install because they aren't aware

  • Some choose not to install because they've addressed the vulnerabilities in other ways that are suitable to their business
  • Some simply lack the testing and rollout resources to do the job.

    My only question to the #3 group is "What is more important than security?" Maybe they just need one headliner article about data theft or customer credit card numbers being stolen before they will properly value the cost of a security breach.

  • so the solution would be...

    I'd argue that most of the 80% fall into the #3 category you mentioned, but I have no proof (yet). The IOUG survey would help. However, that just emphasizes my point about how the most secure software is the stuff that's easiest to patch... I doubt there's a better economic signal for security than easy patchability.

    Thus, in order to achieve the the goals of secure software, its more important for developers to understand the nuances of patch management, the dangers of code branching, and the law of unintended consequences.

    A few hour-long seminars on security would prevent developers from making the really stupid mistakes... however, the nasty security problems are much more subtle... and frequently you don't notice them until your system is live.

    Security Patching Survey Results Report

    Interested in the results of the survey? The report is now available http://enterprisesig.oracle.ioug.org/.

    Recent comments