By blogsadmin on April 17, 2006 3:10 PM
Welcome to Oracle's security blog.
My name is John Heimann and I manage Oracle's Security Program Management team. My team participates in security initiatives across Oracle, helping to enforce our security policies as well as looking for opportunities to improve our software security assurance processes. These extensive processes have been built up over the 25 years Oracle has been delivering secure software and include secure coding and configuration standards, developer training classes on these standards, developer and QA tools to find security bugs, and secure deployment guidelines for customers. These processes are subject to regular review � by us, and by customers - where we focus on ways in which we can improve what we�re doing. I recently wrote a white paper that details many of the processes that are in place to help ensure the security of Oracle�s products. If you�re interested in learning more, you can read it here.
Our primary means of communication is our Web site, which contains information about Oracle�s secure development processes, what we call the Critical Patch Update, which is a quarterly patch that bundles all security patches across Oracle�s product, security related product information, and other security related information at Oracle.
My team, and other teams handling security, use email blasts for communicating important security events. MetaLink users get these automatically, and non-MetaLink users can sign up to receive emails relating to security via OTN by following the instructions here.
We will use this blog to highlight and discuss topics that are best served by the more informal and discussive medium that blogs provide. We'll be commenting on Oracle security news, making you aware of new security resources as they become available and keeping you up to date on our latest security initiatives.
By blogsadmin on April 25, 2006 9:54 AM
Hello. My name is Darius Wiles and I manage Oracle's Security Alerts
Team. Our focus is to track security vulnerabilities in Oracle
products, to support developers in the production of fixes and to
manage their release to customers.
Since the beginning of
2005, we've been releasing patches for all products on a single day,
once a quarter, as part of our Critical Patch Update process. The OTN
site contains the list of Critical Patch Updates that we have released to date, and information on our security vulnerability fixing process.
The sixth Critical Patch Update was released on 18 April 2006. The details can be found in the advisory, available on OTN, MetaLink and the PeopleSoft / JD Edward's Customer Connection site.
This
Critical Patch Update contains an improved version of the password
checking utility previously released with the January 2006 Critical
Patch Update. We've renamed it the Oracle Default Password Scanner to
more accurately reflect its purpose: to list default database accounts
that are unlocked (open) and have default passwords. The accompanying
documentation, the Oracle Default Password Scanner User's Guide,
explains how to secure each unlocked default account that has a default
password. Most accounts can simply be locked, but those used by other
Oracle products have different remedial actions to ensure that those
other products can continue to access the database.
We strongly
recommend use of the Scanner to identify and secure default accounts.
The Scanner is independent from the rest of the Critical Patch Update,
so it is possible to go straight to the Scanner FAQ on MetaLink,
and download it. We encourage the use of the Scanner as part of a wider
review of security using the advice in the security guides linked from
the OTN security page.
John Heimann's team (see blog entry for 17 April 2006),
are managing a program to make it easier to lock down existing default
accounts, avoid the introduction of unnecessary new default accounts,
and otherwise install new releases of products in a hardened
configuration. The specific configuration changes are being phased in
over a series of releases to ease the impact on customers. The tools
and security guides being released now make some of these security
improvements available for use in current products.
I
realize I've included a lot of information and links in this blog
entry, but it is an indication of the number of security initiatives
and teams involved in improving the security of Oracle products.
There's a lot of great information available - the trick is knowing
where to look!
