[ISN] Most Oracle database shops don't mandate use of security patches, survey says

From: InfoSec News <alerts_at_private>
Date: Fri, 27 Feb 2009 02:17:00 -0600 (CST)
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9128705

By Jaikumar Vijayan
February 26, 2009 
Computerworld

A continuing lack of corporate mandates to quickly install Oracle 
Corp.'s security patches may be leaving many Oracle database 
installations exposed to vulnerabilities for extended periods of time, 
according to survey results released on Wednesday.

In a pair of online surveys that were jointly conducted between May and 
August of last year by the International Oracle Users Group (IOUG) and 
Oracle, only 26% of the 150-plus respondents said that their companies 
required the software vendor's quarterly patch updates to be applied on 
all systems as soon as they're released.

Another 6% said they're required to install Oracle's Critical Patch 
Updates (CPU) on critical systems only, the IOUG and Oracle wrote in a 
report. Meanwhile, 30% said their companies didn't have any specific 
policies in regards to Oracle's patches, while 32% said their policies 
required database administrators to do either risk or cost-benefit 
analyses in order to justify the installation of patches in production 
databases.

In addition, the survey results showed that most of the respondents were 
months or even more than a year behind Oracle's patch releases. Only 30% 
said they typically installed patches before the vendor released its 
next CPU, according to the report. Twenty-five percent said they were 
one cycle, or three to six months, behind in installing the patches, 
while 26% said they were two to four cycles behind. Another 11% said 
they hadn't installed any of Oracle's patch updates on their systems.

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Fri Feb 27 2009 - 00:17:00 PST

This archive was generated by hypermail 2.2.0 : Fri Feb 27 2009 - 00:23:47 PST