Ever wonder how long of a career folks like David Litchfield and Pete Finnigan might have ahead of them? Well, pretty much as long as they feel like. Especially when you read stories like this one which appeared in Computer World today:
Oracle Corp. issues dozens of security patches every quarter, but that doesn’t mean database administrators are necessarily implementing them.
In fact, a good two-thirds of all Oracle DBAs appear not to be installing Oracle’s security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo Inc., a Woburn, Mass.-based vendor of database security products.
The results are “surprising, and to be candid, quite frightening,” said Mike Rothman, president of consulting firm Security Incite in Atlanta.
Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008. The company basically asked the administrators two questions: whether they had installed the latest Oracle patches, and whether they had ever installed any of Oracle’s security updates.
The results, which come even as Oracle is scheduled to release its next batch of quarterly Critical Patch Updates tomorrow, showed that 206 out of the 305 surveyed said they had never applied any Oracle CPUs. Just 31 said they had installed the most recent security update from the company. In total, only one-third said they had ever installed an Oracle CPU.
It’s no small wonder that we read about data security breaches on an ever increasing rate when you take that into account. I once dealt with a client many moons ago where the DBA steadfastly refused to apply patches. He said, “Why should I? It works and I won’t risk my data. After all I have a firewall”.
After I came too I stumbled to the nearest coffee machine in search of a leveler. I have always marveled at the cross section of DBAs that assign a possessive to data. Whenever I hear “my data” I know it will be an ugly security discussion.
But, I digress. If you in fact have an Oracle database in house…do you know where your patch level is?
[tags]Oracle Security Patches, Oracle Security, Oracle Patches, Database Security[/tags]