Oracle needs to improve
patch management, an area where it's currently lagging five years behind Microsoft,
according to database expert Karel Miko at Czech consultancy DCIT.

"When Microsoft announced Trustworthy Computing a lot of people laughed,
but now you see a real difference," said Miko, who spoke at the European
Computer Audit Control and Security Conference in Stockholm.

"I don't like Microsoft, but Oracle definitely has something to learn,"
he said.

Microsoft offers central patch management tools that allow customers to see
what patches are missing and so on, whereas Oracle doesn't.

Oracle also doesn't make life easier for companies who want to keep their databases
secure, according to Miko, making it complex to download and install patches.

It also has a strange approach to new vulnerabilities, he said.

"An independent consultant announces a vulnerability to Oracle. Three
months go by, and nothing happens, six months, a year and still nothing. Oracle
puts it in a queue and will solve it sometime, maybe," said Miko.

If customers put pressure on Oracle it might be prompted to improve, but Miko
isn't holding his breath.

"Customers are very dependent on Oracle -- its database is number one.
If you have an application based on an Oracle's database there is no way to
change, in maybe 90 percent of all cases," he said.

Databases are one of the hottest topics at EuroCacs; no other product category
has more sessions.

That's good because database security is lagging behind. Even though Oracle
has been adding new security features customers aren't taking advantage of them.

"To be honest a lot of companies aren't even using the basic stuff that
has been there since version 8," said Miko.

In the end database security is all about people.

"In my experience even some small enterprises have better administrators
than large banks, and do a better job," said Miko.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine