Eye on Oracle - A SearchOracle.com Blog

Eye on Oracle:

 

A SearchOracle.com Blog


The Oracle blog with observations and commentary for DBAs and developers about the Oracle database (10g, 9i), applications (E-Business Suite, Financials, PeopleSoft), SQL and PL/SQL, training, certifications and more.

The Oracle security debate

April 1st, 2008 by Shayna Garlick

Oracle DBAs:  To what do you attribute problems with Oracle security?

a.) poorly designed software
b.) failure to apply  patches and maintain software
c.) lack of financial resources
d.) all of the above

This question has recently made a small stir in the blogosphere, and not everyone can agree on an answer.

Bex Huff, in his “technology, lifehacks, and all that good stuff” blog, says: “Unlike James McGovern, I don’t believe security problems are entirely due to bad software or clueless developers… I’d argue most security problems are due to improperly configured and improperly maintained software. However, I also believe that blaming the implementation team is a cop-out. Instead, developers need to realize that security is a process, not a product.”

Huff goes on to highlight what he sees as the critical process of Oracle security: applying patches. He doesn’t seem to understand why fewer than 20% of Oracle customers apply their rolling security patches.

In his blog “Enterprise Architecture: from Incite comes Insight,” James McGovern says he has the answer: Applying patches is costly. And, he says, it’s not all the fault of the user: “Can we acknowledge that the patch existed because the base software wasn’t written with security in mind in the first place?”

In McGovern’s later blog post, “If software vendors really cared about security,” he outlines some questions for enterprise companies to ask vendors before purchasing software. For example: what features does the product have that helps ensure it’s designed securely?

So, yes, the best and most practical answer is probably “d.” But do you see any of these factors as having more of an impact? Do you think either Huff or McGovern has a better understanding of the issue?

Posted: April 1st, 2008 under Uncategorized, Oracle database administration, Oracle development, Managing an Oracle shop, Oracle applications.

4 Comments »

  1. I strongly believe that DBA’S must follow the necessary security steps.Failure to apply patches and maintain software and other security procedures could seriously affect oracle security since hackers may easily infiltrate into the system.
    Lack of financial resources should not be a hindrance to security if a company really means business since the cost to the company may outweigh the benefit should oracle database security breaks down.

    Comment by DESMOND S. ASARE-QUAYSON — April 2, 2008 @ 10:18 am

  2. It’s the same problem we have with trying convince clients to properly swap their tapes out every night to maintain a current backup of the system. If they have gone two, three or even five years without data loss, they no longer see the need to maintain their backups.

    I have been trying to convince management that we are seriously lacking security on our servers, but they won’t allocate resources to patch the databases because there is no immediate need. It’s sad to say but most places won’t acknowledge their lack of security until it has already been compromised.

    Comment by Seth Miller — April 4, 2008 @ 2:10 pm

  3. Why are patches a must for DBAs? Can’t the database company take the responsilbility of applying patches whenever needed?
    Is it not that companies developing softwares for databases should have initially taken care of securing the database? If a user needs a good database, he needs to buy it from a good database company, and the company to earn more does not gives good security options with the bundle, later sells it as patches.
    If the user does not uses it he suffers or else he has to empty more from his pocket.
    From these given options:
    a.) poorly designed software
    b.) failure to apply patches and maintain software
    c.) lack of financial resources
    d.) all of the above
    I will strongly select (d).
    Regards,

    Comment by Sukaina Anis — April 7, 2008 @ 1:55 pm

  4. I think financial constraints should not be an excuse for database security. It is a DBA’s responsibility to keep security patches up to date. He needs to make sure that the organization is aware of security risks and potential risks of data loss and hacking. However, I like the idea of by Mr. Seth that software companies should take care of these security patches or any other updates to the software becuase it is very time consuming to apply these patches if you are behind with your patches.

    Comment by Zahid Shaikh — April 8, 2008 @ 9:05 am

Leave a comment