17.3.08

Oracle slammed for its 'poor' patching

Oracle’ processes for patching databases were heavily criticised in a presentation at the European Computer Audit Control and Security Conference in Stockholm this week.

Karel Miko from Czech consultancy DCIT, speaking at the event said Oracle was five eyars behind Microsoft in dealing with the issue.

"When Microsoft announced Trustworthy Computing a lot of people laughed, but now you see a real difference," Miko said.

Microsoft offers central patch management tools that allow customers to see what patches are missing and so on, whereas Oracle doesn't, he added.

Oracle also doesn't make life easier for companies who want to keep their databases secure, according to Miko, by making it complex to download and install patches.

He also questioned Oracle’s approach to new vulnerabilities. "An independent consultant announces a vulnerability to Oracle. Three months go by, and nothing happens, six months, a year and still nothing. Oracle puts it in a queue and will solve it sometime, maybe," said Miko.

If customers put pressure on Oracle it might be prompted to improve, but Miko isn't holding his breath.

"Customers are very dependent on Oracle – its database is number one. If you have an application based on an Oracle's database there is no way to change, in maybe 90 percent of all cases," he said.

Databases were one of the hottest topics at the conference; no other product category had more sessions devoted to it. This follows damning surveys have revealed that even though Oracle has been adding patches and new security features many customers are not deploying them.

Miko said, "In my experience even some small enterprises have better administrators than large banks, and do a better job."

Author: Mikael Ricknäs @ www.computerworlduk.com


Read more ...