Research: Oracle Applications Not Secure
Oracle spends a lot of time producing its Critical Patch Updates, but apparently most DBAs dont pay much attention to them.
Sentrigo found that only 10 percent of respondents in a study of Oracle User Group attendees reported they were up to date and had installed the latest Oracle CPU.
A staggering 67.5 percent of respondents admitted they had never applied any Oracle CPU. The study results come on the eve of Oracle's January CPU release in which 27 issues are expected to be addressed.
Slavik Markovich, CTO of Sentrigo, told InternetNews.com of a few other trends he noticed among the user group's attendees and Sentrigo customers.
He also reported a lack of CPU certification for some applications. For example, if you have an SAP system running atop an Oracle database, it may not be certified to run on the recent CPUs.
Markovich also mentioned that security tasks have a low priority for the average database administrator (DBA), as enterprises judge them instead on uptime and performance.
While some databases are publicly accessible from the Internet, many Oracle databases are not.
Nevertheless, users that choose not to download the latest Oracle CPU can be at risk either way.
Markovich admitted that nonpublic databases are less at risk from outside intrusion. That said, he noted that even databases not directly accessible from the Internet can be hacked into as long as an unbroken physical connection exists. Insiders using publicly available exploits can gain DBA privileges with no need for any database expertise and pose additional risks.
DBAs' failure to ensure their databases remain up to date comes despite Oracle's efforts to boost user adoption.
"The CPU system was Oracle's response to customer requests a couple of years back," Markovich said. The current system "is a big improvement on the previous method that was less organized and did not have enough disclosure to allow customers to make informed decisions."