Hi, this is Eric Maurice again.
Today, the Independent Oracle User Group (IOUG) released a report detailing the results of a survey designed in collaboration with Oracle Global Product Security. The purpose of the survey was to collect information about some of the security practices of Oracle customers, particularly around the Critical Patch Update (CPU).
In a previous blog entry, I discussed why the IOUG and Oracle conducted the survey. Our intent was to develop a better understanding of customers’ security patching behavior, and collect feedback and recommendations for the Security Customer Advisory Council, an advisory committee that provides recommendations to Oracle about its roadmap for security products and processes (such as the CPU).
The survey yielded more than 150 responses from as many different organizations. We
wanted to hear from the people whose business function was related to security patching in their Oracle environment, so information was collected from DBAs, systems administrators, and managers who are intimately involved with the deployment of CPUs or patch sets.
In my opinion, the two most interesting areas of the survey were related to the relatively low number of organizations that mandate systematic patching of their Oracle systems and the influences reported by respondents that would cause their organization to be more consistent in its patching practices.
The survey found that a relatively low number of organizations require systematic application of security patches when they are released by Oracle. Only about one quarter of respondents stated that their organizations required that Critical Patch Updates be applied systematically across the entire applicable environment when CPUs are released by Oracle.
On the other hand of the spectrum, almost one fifth of all respondents reported that their organizations actually did not have specific requirements for the application of any vendor’s security patches. And another eleven percent of the respondents reported that, when they had patching policies, they did not extend to Oracle patches.
However, over one third of all respondents (36%) indicated that their organizations had patching policies in place and that these policies required that the application of the Oracle security patches be justified. In such instances, not surprisingly, respondents reported that their organizations seemed to favor a risk analysis as opposed to a cost/benefit analysis in order to justify the patching effort.
Another interesting aspect of the survey was related to the factors reported by the respondents that would cause their organization to be more proactive in their application of security patches.
Respondents were asked to select up to three things that could cause them to apply Critical Patch Updates more quickly and consistently. The survey found that the existence of organizational policies is as important to consistent CPU application as the availability of tools or documentation to test CPUs before their deployment. Requirements expressed by the security staff, mandates from security audits or born from an executive decision accounted for over one third (36%) of the total number of answers. Availability of enhanced tools and documentation accounted for another one third (34%). Finally, “massive malware outbreak” was cited in sixteen percent of the responses.
In my opinion, this survey highlights the importance of security policies for patching business-critical systems. Many respondents indicated that systematic patching policies typically extended only to desktop environments. They also reported reticence to patching servers that otherwise perform in a predictable manner. Organizations are reluctant to mandate the application of patches onto business-critical servers because of the cost and time associated with such an effort. Furthermore, many administrators have reported fear of “breaking” something and thus causing downtime. In addition, the feeling that security controls provided outside of the affected systems (NAC systems, DMZ configuration, etc.) provided enough mitigation are significant factors influencing organizations’ patching behavior on Oracle systems.
The findings of the survey were reported to the Security Customer Advisory Council (SCAC). SCAC members themselves took the survey before the findings were presented, and their feedback was consistent with the feedback from the IOUG members. As a result of this survey, Oracle and IOUG are planning to explore two areas to help customers with their security patches effort. In the next few months, Oracle and IOUG plan to develop activities to promote the adoption of documented patching policies, and educate customers about the availability of tools, such as the new My Oracle Support Portal, which can help customers with their patching and secure configuration efforts. In addition, Oracle plans to explore ways to enhance the Critical patch Update documentation to help customers develop time-effective testing procedures for the CPUs before their deployment. All these activities are likely to be topics for future blog entries.
For more information about this IOUG Security Assurance survey:
* The survey report is located at http://enterprisesig.oracle.ioug.org/
* A previous blog entry discussing the objectives of the survey is located at http://blogs.oracle.com/security/2008/07/ioug_security_survey_.html
* Michelle Malcher comments on this survey at http://michelledbaunleashed.blogspot.com/
