Shock! Database Admins Aren't Patching Oracle
Microsoft did a marvelous job of conditioning the world for "Patch Tuesday." When Bill Gates & Co. announced the scheme for the scheduled release of routine patches, the security community groused at the obvoius marketing spin. Five years later, Microsoft is proven right that enterprise could better plan for patches if they knew when they were coming.
Now comes a survey from Sentrigo, a maker of virtual patches for Oracle databases, which has the shocking findings that most DBAs aren't patching their software. According to the survey of 305 database admins, developers and consultants, only 10 percent reported applying recently issued Oracle Critical Update Patch (CPU). Further, two-thirds said they've never applied any Oracle CPU. The calamity!
"This survey scares the heck out of me," said Mike Rothman, president and principal analyst, Security Incite, in a Sentrigo press release. "The database is where most of an organization's critical and regulated data resides and if it's not patched in a timely fashion, organizations are asking for trouble."
Talk about stating the obvious, but Rothman is right and somewhat wrong at the same time.
DBAs are dead wrong if they're not patching their systems. Database flaws and vulnerabilities will ultimately impede performance and leave critical data open to compromise. If they can't patch databases because of operational imperatives or their databases are too old to patch, they absolutely should seek workarounds such as monitoring systems made by Application Security or virtual patches by Sentrigo.
More significantly, these results point to the lack of redundancy in enterprise database infrastructure that allows for routine maintenance and patching. Enterprises are reliant upon fully functional and available database and the information they contain for routine to critical operations. Allowing a database to go down for even for a short time could spell the loss of untold revenue and opportunities. At the very least, it would impede productivity, which equals money lost.
Enterprises are pushing their databases and information infrastructure to the limits. Survey results such as these should not only make us question our database security practices, but our infrastructure for ensuring database available.
Share your database patching experiences or your thoughts on this survey with Larry at firstname.lastname@example.org.