Re: OT: Oracle Critical Patch Article

From: Andrew Kerber <andrew.kerber_at_gmail.com>
Date: Tue, 15 Jan 2008 11:51:00 -0600
Message-ID: <ad3aa4c90801150951t4301ab3esac8ea01ab80d52a3@mail.gmail.com>

>>Would a dba be concerned about remote vulnerabilities for databases that
support only connections from application servers that are secured? Probably not.

I hope DBA's aren't using that argument. Sarbanes-Oxley applies to all publicly held companies. And the rules are just as concerned with internal security as external security. There very few oracle databases that you cannot connect to at all via sqlnet.

On Jan 15, 2008 11:12 AM, Paul Drake <bdbafh_at_gmail.com> wrote:

>
>
> On Jan 15, 2008 10:42 AM, Taylor, Chris David <
> Chris.Taylor_at_ingrambarge.com> wrote:
>
> > How many of you guys have seen this?
> >
> >
> >
> >
> > http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&source=NLT_PM&nlid=8
> >
> >
> >
> > What are your thoughts? I know our organization falls into that
> > category but primarily because we aren't exposed to the outside world. We
> > don't have external applications so most times I believe that critical patch
> > updates can be applied during a normal maintenance period.
> >
> >
> >
> > *chris*
> >
> Chris,
>
> The press release is located here:
> http://www.sentrigo.com/press_releases-newsid-39.htm
>
> and Pete Finnigan wrote about it here:
> http://www.petefinnigan.com/weblog/archives/00001141.htm
>
> Clearly, the company providing the figures has a self interest in having a
> market for its products and services (which is disclaimed at the bottom of
> the press release page).
>
> "When asked: "Have you installed *the latest* Oracle CPU?" � Just 31
> people, or ten percent of the 305 respondents, reported that they applied
> the most recently issued Oracle CPU."
>
> I just downloaded "the latest" critical patch update this morning, as that
> is when it was released. I plan to apply it in a testing environment later
> this afternoon.
> Perhaps semantics matter here just a bit.
>
> Only 35 people in the survey replied yes to one of the questions. That's a
> fairly small sample, statistically speaking. If a dba only gathered
> (estimated) stats with a sample size of 32 blocks out of a table with say
> 32K blocks, I doubt that the stats would be very accurate.
>
> Would developers be inclined to apply critical patch updates to
> development servers (where there is no formal dba position)? I would think
> not.
>
> Are critical patch updates available for Oracle XE databases? No.
>
> Are some applications running on database versions or patchsets that do
> not have critical patch updates made available? Yes. (8.1.7.4 and 10.1.0.4spring to mind.)
>
> Would a dba be concerned about remote vulnerabilities for databases that
> support only connections from application servers that are secured? Probably
> not.
>
> I'm skeptical that the results are representative and are useful for
> anything other than stirring discussion (and marketing).
>
> Paul
>
>
>
>

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Jan 15 2008 - 11:51:00 CST

This message: [ Message body ]
Next message: Robert Freeman: "Re: remote DBA job - pros and cons."
Previous message: Taylor, Chris David: "RE: OT: Oracle Critical Patch Article"
In reply to: Paul Drake: "Re: OT: Oracle Critical Patch Article"
Next in thread: John Hallas: "RE: OT: Oracle Critical Patch Article"
Reply: John Hallas: "RE: OT: Oracle Critical Patch Article"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message