Vendor Patch Management Support
ComputerWorld has a very interesting article this week that talks about how immature Oracle's patch management program for customers is, compare to Microsoft's.
As the following quote indicates, there are things that vendors should be doing to provide their Enterprise and SMB customers with the necessary tools and information to keep their environments secure.
"When Microsoft announced Trustworthy Computing, a lot of people laughed, but now you see a real difference," said Miko, who spoke at the European Computer Audit, Control and Security Conference in Stockholm.
"I don't like Microsoft, but Oracle definitely has something to learn," he said.
Microsoft offers central patch management tools that allow customers to see what patches are missing and so on, whereas Oracle doesn't, Miko said.
Oracle seems to believe that their database is simply secure, and that this whole situation is rather overblown, but it is when known that the vast number of security issues come about because of configuration problems, and not simply because the software or hardware is inherently secure or insecure.
Apple is another vendor that has some progress to make in both vulnerability disclosure and in the adoption of a regular schedule, but they do offer tools to remotely patch their systems, and so in that area they are ahead of Oracle. They need to provide better tools for centralized patch management, but at least they are making steady progress on this front. Adobe is another vendor that has moved to a regular patch schedule since 2005.
Most recently, Cisco has announced that they will make life more deterministic for IT managers by offering up a regular patch management schedule, twice per year. Excellent. Proper project planning is at the heart of any successful IT or business project, and this is especially true for Information Security projects. Let's hope that Cisco can expand on this by adding assessment tools at some point in the not-too-distant future.