This article can also be found in the Premium Editorial Download "Information Security magazine: Security survivor all stars explain their worst data breaches."
Download it now to read this article plus other related content.
Oracle will be voted off the island if it doesn't improve its patching process. There's just too much at stake.
Fresh off a slew of security conferences, I am hearing one message loud and clear: Vendors are not meeting the needs of the user community.
In a room of 300 users at a conference last year, more than two-thirds raised their hand when asked if they agree with the following statement: Vendors give me products I don't need, but the products I have don't deliver what I want.
Don't underestimate your power. As security expert Marcus Ranum told attendees last fall at the Information Security Decisions conference, you wield more influence than you may realize.
"Somehow, where vendors are concerned, you feel you have to eat what they serve you," Ranum said. "Look at the arguments against using open source. You say you don't use it because there's no one to sue. Well, when was the last time you sued Microsoft when they sold you a piece of crap?"
You'll get to hear more of Ranum's opinions in our new Face-Off feature where, every quarter, he'll debate various security issues with Counterpane CTO and founder Bruce Schneier. (Check out Round One, "
Microsoft has been the usual whipping boy. Like Ranum, users have criticized the company because it has refused to acknowledge security problems in its software. But as it marks the fourth anniversary of its Trustworthy Computing Initiative, many of these shortcomings are being addressed.
Lately critics have focused on Oracle. The reasons are many: A significant amount of sensitive data, including personally identifiable information, is housed in Oracle databases; there has been an increase in the number of application threats to the databases; and the perceived arrogance of the company and its failure to promptly address the problems has angered users.
Just last September at Oracle OpenWorld, CEO Larry Ellison claimed that the last time its database had been broken into was 15 years ago. He also refused to commit to fixing security holes within three months of their discovery, saying it was impossible to commit to a particular time period.
While I understand Oracle's hesitation to make such a promise, some of the reported vulnerabilities date back more than two years and have not been fixed.
When Oracle does release patches, often the company provides little information about the vulnerability or manual workarounds, and has sometimes released fixes multiple times, compounding the confusion.
Furthermore, the sheer number of patches has made it difficult for users to react. In January, Oracle released patches for 82 vulnerabilities across multiple product lines, including its databases, Application Server, Enterprise Manager, Collaboration Suite, E-Business Suite, and PeopleSoft applications. Accord-ing to research firm Gartner, Oracle's database products alone have 37 vulnerabilities that are easily exploitable, with some potentially allowing remote database access. In comparison, Microsoft released 15 during the same time period.
Oracle executives claim they are trying to prioritize the patches, but the company has to change its security management practices and take these vulnerabilities more seriously.
As our Security Survivor All-Stars know all too well, bad things happen. It may only be a matter of time before Oracle experiences a mass security exploit. Then, users will be clamoring to vote Oracle off the island.
This was first published in April 2006