Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&pageNumber=2
You would think that with all the security issues there are when it comes to the Internet and networks, everyone would want to keep their systems up-to-date with the latest security patches. I know I always install them, on both my PC and my Mac. But suprisingly, a survey has found that two-thirds of Oracle DBAs do not install any Oracle security patches--EVER--no matter how critical the update may be. Some of them are even explicitly told by the security department to install the patches, and they STILL don't do it. Why would DBAs not want to fix vulnerabilities in their databases? The first thing that came to my mind was, "Are they just being lazy?" Here are the reasons that the DBAs themselves give:
1. Fear of a negative outcome on the system as a whole
2. Some vendors do not certify Oracle patches to work with their applications
3. Updates have to be done in chronological order; you cannot install a new patch until you install the previous one
The first reason is plausible I suppose. In my Systems Design class, we learned about client-server systems. In these systems (especially two-tier systems), the applications are often programmed for that specific database. If any changes are made to the database structure, it can negatively affect application performance. To install a security patch, it would first need to be tested against the applications that use that database. In many organizations there are a large number of applications and databases, and testing the patch on all of them would take months and cause downtime. For most companies, downtime is not an option.
The second reason is also valid. If a vendor does not certify a patch to work with their application, they can deny the company technical support. It would be the equivalent of voiding the warranty on your new car stereo installation because when it started having problems later on, you let your friend try to fix it instead of taking your car back to the company who installed it.
The third reason really shouldn't have even been mentioned. It's true that you can't install a patch without installing the ones before it, so if you fall behind, you're stuck. But does that even matter in this case? The DBA wouldn't install the update anyway for the two reasons discussed above. If anything, citing this "reason" makes the surveyed DBAs seem lazy or slow. At least the other two make it seem like they've got reasonable cause to avoid security updates.
While I can understand why DBAs would want to avoid system complications and "voiding warranties", I do not feel it is ethical to bypass Oracle security updates. They are there for a reason. What if confidential data gets out due to a vulnerability that could have been fixed, had the DBA installed the patch? What if a system crash resulted from not installing a patch? I think that while installing these updates may be time consuming and inconvenient, they need to be done--period.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment