Risk Calculator for Oracle Critical Patch Updates

Hello,

oracle critical patch updates are 'hard to sell' to oracle database end-users or dbas (teamleads) or service managers. They might say: we don't use that feature (although it may be installed eg "Workspace Manager"), or only one database on the server uses that feature and not the other ten, or we solely rely on perimeter security, "that should be sufficient".

Saying that oracle strongly recommends to apply cpuoct2007 and that Oracle at the same time doesn't want to give away information on the security issues covered by the cpu (see oracle security policy on http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html) doesn't help in the discussion convincing my businesses.

The solution to this problem of getting not enough buy-in might be to use an objective way of risk calculation. The "Common Vulnerability Scoring System Version 2 Calculator" as found in
http://nvd.nist.gov/cvss.cfm?calculator&version=2 might be of help. It matches with what oracle publishes in
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

Collecting the info from DBA_REGISTRY helps in identifying databases with affected components.

I still have to find out if the output of the risk calculator indeed helps in discussions with the group of people mentioned earlier.

In the meantime I am wondering if anyone of you has experience with this way of doing risk assessments.

Kind regards,

Andre

--
http://www.freelists.org/webpage/oracle-l