It is great to have an opportunity through the IOUG to participate in the creation of a survey, and it is even better when, working collaboratively with Oracle, you get to see how the results of that survey are being used. So, today IOUG is releasing the results of a survey that collected information about the security practices of IOUG members around the Critical Patch Update (CPU). The survey was designed in collaboration with Oracle’s Global Product Security organization, under the leadership of Mary Ann Davidson.
There were a couple main goals for the survey. From an Oracle perspective, there was a desire to better understand customer security patching behaviors. For the IOUG, this was also important as well as providing the feedback collected back to Oracle through IOUG’s participation in Oracle’s Security Customer Advisory Council (SCAC).
The survey includes responses from 150 participants, who indicated that they are directly involved with applying CPUs and patching the Oracle environment. As initially planned, the results of the survey was presented to the Security Customer Advisory Council. IOUG’s participation to the SCAC reflects IOUG’s customer advocacy role. It provides a voice to IOUG members to provide feedback to Oracle about its product security roadmaps and assurance activities.
The survey was designed to look into security patching policies, practices around the application of the patches, their importance to Oracle users, and was intended to identify factors that would contribute to easing the application of patches. Check out the survey report on the IOUG website: http://www.ioug.org/.
What I found interesting in the results, only about 1/3 of the respondents has organizational policies requiring regular applications of the CPU. Another 1/3 need to justify the patch, and the last 1/3 has no policy to apply Oracle security patches (or other vendors’).
The CPU is generally considered to be important to maintain a proper security posture, and 55% of the respondents reported that they have applied the latest CPU or are one cycle behind. This leaves the other half several months behind (two or more CPU cycles late) or not applying the patches.
The survey then asked what factors would help with timely and more consistent application of the CPUs. Responses were very consistent. According to the respondents, organizational policies are as important to CPU applications as tools or documentation to test before their deployment. Each of these answer were reported by roughly 1/3 of the respondents. (Another 16% indicated that a massive malware outbreak would “help” in getting the patches applied more consistently.)
Our database environments tend to be more complex with several different applications accessing several databases. Applying patches tends to bring the fear of what is going to break, so having organizational patching policies would help offset having to justify the patching. In addition, having documentation or tools to better be able to test changes to the environment before the actual deployment of the CPUs would help reduce the risk of outages, and possibly reduce the cost and time required to implement a security patching policy.
Again, security patches are important to the Oracle environments, and the general feedback was positive here with the concern of how to test and get proper policies in place. Such feedback is valuable to the IOUG! It allows us to come up with a prioritized list of improvements, recommendations to Oracle, and other educational outreach, which can be offered to members to help them promote better security practices with their Oracle environment.
Education to the IOUG community is being achieved through webcasts, and through the Collaborate 09 conference. There are several presentations on best practices related to securing the Oracle environment, as well as sessions specifically dedicated to the application of CPUs.
Check out more information about Collaborate 09.
From an Oracle perspective, this survey allowed them to develop initiatives to help customers with testing CPUs such as enhancements to the CPU documentation, and additional features being made available through “My Oracle Support” portal which allows customers to identify the system that needs to be patched.
Also check out Eric Maurice’s comments about the results: http://blogs.oracle.com/security
CPU Security Survey Report: http://enterprisesig.oracle.ioug.org/
Collaborate 09: http://ioug.org/collaborate09/
Previous blog and information about the objects of this survey: http://blogs.oracle.com/security/2008/07/ioug_security_survey_.html