Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:00 PM

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

Patch Inflation

Oracle attributes the number of vulnerabilities and patches issued in January to improvements in finding and fixing bugs. The size of recent updates looks inflated because the company chose to restrict the number of patches it issued last year, says Oracle chief security officer Mary Ann Davidson. "We were conservative early on so as not to overwhelm our users," she says. As the company got better at patching, it began to include a larger number of fixes each quarter, she says.

Davidson: You say you want an IT revolution?

Davidson: You say you want an IT revolution?
But Oracle has been criticized for not providing enough information about the vulnerabilities it fixes during critical patch updates. Oracle holds information about its vulnerabilities close to the vest and hasn't issued a single workaround since introducing its critical patch update program in January 2005. If it were willing to provide more information about the patches it issues, users could shield their systems while they test the Oracle patches, shortening the amount of time their systems are vulnerable to attack, contends Gartner's Mogull. "If a workaround is going to break something, tell me and let me make the decision for myself," he says.

At issue is just how involved companies should be in their own protection. "If a vulnerability exists, and we can't take precautions about it, that's just bad," says Michael Gallagher, manager of architecture strategy at ABN Amro, a financial services company that uses both Oracle and IBM DB2 databases. "Companies need to know to protect themselves."

Mogull doesn't advocate that Oracle put its customers at risk by providing too much information that could fall into the wrong hands, but he would like to see the vendor provide some details on vulnerabilities and offer potential workarounds. "This provides attackers with some information, but it also arms the legitimate customers," he says. "All it will take is one bad attack on Oracle, and businesses and government are seriously in trouble."

Protection Before Disclosure

To Oracle, the need to protect customers from attackers outweighs the need for full disclosure. The company is adamant about not giving attackers anything to work with. Oracle receives information about vulnerabilities from its own researchers as well as from third-party research firms and customers, says Darius Wiles, a senior manager of security alerts at Oracle. The company also is looking for vulnerabilities within third-party applications, such as the Apache Web server, that could affect the performance and security of Oracle products.

Before moving to a quarterly critical patch schedule, Oracle issued alerts for individual bugs. When a fix was ready, the vendor made sure it worked on all affected products before issuing the fix to customers. The advantage: Oracle could react more quickly to bug fixes. But customers didn't get any notice that patches were on the way, and eventually, they called for a more predictable patch cycle. "We publish the dates a year in advance so customers can plan their downtime," Wiles says.

The argument over how fast Oracle produces patches misses the point, Wiles says. The wrong metric is to focus on the time between the announcement of the vulnerability and when the patch is made available, he says. Instead, customers should focus on the time between patch availability and their successful implementation of it.

Since Oracle's databases support about 20 different operating systems, each patch must undergo extensive testing to make sure it works properly. "Because customers are under duress to get these patches implemented, we do a lot of work to get them right," Wiles says. "We try to strike the right balance by giving customers the right amount of information without providing information that can be used to create exploits. Given the choice between publishing a workaround that breaks something or not providing a workaround, we do the latter."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 4
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Six Inevitable Technologies and the Milestones They Unlock
Guest Commentary, Guest Commentary,  10/3/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll