Wednesday, January 16, 2008
OK, so Oracle DBAs are not patching their databases.Â Why does that happen?I can see a number of factors here:- Bad security professionals that believe that "Oracle is very secure" and just worry about patching Microsoft, the source of all evil things in earth.- Terrorist DBAs that are always saying that "patching the DB shouldn't be done, it's working now and it will stop for sure if we try it"- Bad press, making a lot of noise about patches for one product but putting Oracle mass patch releases in very small headlines.Put those together and you'll see what happens on most organizations. DBMS systems are usually what I'm calling "security blind spots": a risk source that usually is not taken into account by risk assessments and management processes, or even by auditors. It's a problem, but nobody knows it is there. Why should someone fix a problem that nobody is worried about?That's exactly what used to happen with SQL Server. Can you remember when that changed? SLAMMER is the answer. When an "Slammer for Oracle" is released we will see everybody quickly including Oracle in their vulnerability management processes and checklists. Oracle will probably need to release its patches more frequently and in a better way to install them too, just as Microsoft had to do (and did).And there is one thing that almost nobody noticed: Microsoft SQL Server 2005 has only one registered vulnerability in CVE. Is security still a reason to choose Oracle instead of MSSQL?