Return-Path: Delivered-To: 2-oracle-l@orafaq.com Received: (qmail 25958 invoked from network); 26 Nov 2007 12:19:44 -0600 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by 69.64.49.119 with SMTP; 26 Nov 2007 12:19:43 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 3E62C7C1795; Mon, 26 Nov 2007 13:19:42 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19532-10; Mon, 26 Nov 2007 13:19:42 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 99E747C1784; Mon, 26 Nov 2007 13:19:41 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Mon, 26 Nov 2007 12:33:14 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 3DBFA7C0049 for ; Mon, 26 Nov 2007 12:33:14 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11450-03 for ; Mon, 26 Nov 2007 12:33:14 -0500 (EST) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 398C47C0731 for ; Mon, 26 Nov 2007 12:33:08 -0500 (EST) Received: by ug-out-1314.google.com with SMTP id y2so1208319uge for ; Mon, 26 Nov 2007 09:33:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=m2D6HbX+GSXO9C/2OWg5AYbGJZm2oG5tA+CLpgSXPUU=; b=O0IYx/nGluSyhmI/WJCMOexQjO7v6nCncutXddY9OayJYOwKznM7Y1/MnZwWZTNaxYpbzX609m1PPiL/Mt9xL4sm9NF94T3m6UwY3Ui7xnRbJBqxe9Pdzb6OpzRjxXw0y5YtkGXQB9DANpOUC6bvqRQtHDMvwH6V95OR/iLGGT8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XiBUV32jDVlF1O3huvIwlsCkyF79us7pyO5mm1iDXsxBRPB+sHGr/NCoIujVX5uMK2vH+uFXi03ghdExF6rmPm2iDh3l7AfWL+73gRxcpJCVnX8KJNwBuns0aQrfbs5XsZgE+x0uS4TXAJIk1t1unJvmMDb3w3gHEa0ff3MNAt8= Received: by 10.78.201.15 with SMTP id y15mr3202393huf.1196098383942; Mon, 26 Nov 2007 09:33:03 -0800 (PST) Received: by 10.78.15.5 with HTTP; Mon, 26 Nov 2007 09:33:03 -0800 (PST) Message-ID: <9b46ac490711260933k40f0f9fcsd911d933c7ba6502@mail.gmail.com> Date: Mon, 26 Nov 2007 18:33:03 +0100 From: "Andre van Winssen" To: "Niall Litchfield" Subject: Re: Risk Calculator for Oracle Critical Patch Updates Cc: oracle-l In-Reply-To: <7765c8970711260738l48a09dd2u1175fe7d9955384c@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_8363_13263049.1196098383932" References: <9b46ac490711260352l71c61ccekf90fae9f0f03952e@mail.gmail.com> <7765c8970711260738l48a09dd2u1175fe7d9955384c@mail.gmail.com> X-archive-position: 3467 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: dreveewee@gmail.com Precedence: normal Reply-to: dreveewee@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l X-Virus-Scanned: Debian amavisd-new at localhost.localdomain ------=_Part_8363_13263049.1196098383932 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Niall, thanks for sharing. But what is a better way to come to agreement? In my organisation it is difficult to get additional downtime for patching something that hasn't led to (security) incidents yet. So what can we database security focal points do, sit and wait until the security incidents start happening or be optimistic and forget about cpu's altogether or until regular maintenance cycle comes in? CPU's are really hot potatoes in this respect. Indeed we have to agree first on *Environmental Score Metrics *and the * thresholds* but once that is done it's pretty straightforward. What I want to achieve is to get buy-in in advance from the businesses and dba managers for when these tresholds are exceeded. Skipping cpu's means that the score should go up as the nr of fixes missed has increased. But how much..who knows? If database security was only a nightmare I could forget about it after waking up ! Regards, Andre 2007/11/26, Niall Litchfield : > > Well I'm one of those groups (dba and manager) and it seems to me that > CVSS only really helps where the organisation doesn't have a basis for > discussion already. In particular it's a little overstating the case to > state that CVSS is objective given that it scores based on subjective > judgements on a number of the core elements of the score (eg collateral > damage potential). In addition it's difficult to see how to relate CVSS > scores to dollar cost of implementing the fixes. Especially as the dollar > cost may not be known - applying a cpu may require one or more application > code updates and associated testing. So for example the Oct CPU score for my > organisation I calculate as 5.9. Is that enough to delay a project > promised before year end or not? That in the end can't be an objective > decision. Suppose I decide it doesn't justify it, and go through a similar > process with the next 2 CPUs (say they score 5.8 and 6.3). Does the fact > of not having applied 2 previous CPUs affect how I use the score of 6.3 in > 6 months time? > > > -- > Niall Litchfield > Oracle DBA > http://www.orawin.info > ------=_Part_8363_13263049.1196098383932 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Niall,
 
thanks for sharing. But what is a better way to come to agreement? In my organisation it is difficult to get additional downtime for patching something that hasn't led to (security) incidents yet. So what can we database security focal points do, sit and wait until the security incidents start happening or be optimistic and forget about cpu's altogether or until regular maintenance cycle comes in?  CPU's are really hot potatoes in this respect.
 
Indeed we have to agree first on Environmental Score Metrics and the thresholds but once that is done it's pretty straightforward. What I want to achieve is to get buy-in in advance from the businesses and dba managers for when these tresholds are exceeded.
 
Skipping cpu's means that the score should go up as the nr of fixes missed has increased. But how much..who knows?
 
If database security was only a nightmare I could forget about it after waking up !
 
Regards,
Andre


 
2007/11/26, Niall Litchfield <niall.litchfield@gmail.com>:
Well I'm one of those groups (dba and manager) and it seems to me that CVSS only really helps where the organisation doesn't have a basis for discussion already. In particular it's a little overstating the case to state that CVSS is objective given that it scores based on subjective judgements on a number of the core elements of the score (eg collateral damage potential). In addition it's difficult to see how to relate CVSS scores to dollar cost of implementing the fixes. Especially as the dollar cost may not be known - applying a cpu may require one or more application code updates and associated testing. So for example the Oct CPU score for my organisation I calculate as 5.9. Is that enough to delay a project promised before year end or not? That in the end can't be an objective decision. Suppose I decide it doesn't justify it, and go through a similar process with the next 2 CPUs (say they score 5.8 and 6.3). Does the fact of not having applied 2 previous CPUs affect how I use the score of 6.3 in 6 months time?
 

--
Niall Litchfield
Oracle DBA
http://www.orawin.info

------=_Part_8363_13263049.1196098383932-- -- http://www.freelists.org/webpage/oracle-l