Best Practices For Oracle And Database Patching

  /     /     /  
Publicated : 22/11/2024   Category : security


Best Practices For Oracle And Database Patching


Oracles massive pile of patches this week complicated the already onerous process of updating the database, other apps



As Oracle prepares to dump a passel of 81 security fixes on its user base -- including seven critical patch updates (CPUs) for its database product -- many database administrators are preparing to patch their Oracle database platforms accordingly. But if recent numbers from the Independent Oracle Users Group annual security survey are an accurate barometer, there are still plenty of others who will sit on the CPUs due out next week for a year or longer. Security experts believe organizations first need to improve these numbers by instituting patching best practices for databases.
I find it funny that there are patches everywhere else that are applied on a regular basis to machines like desktops and so on, but it is still not a general practice for the databases, says Michelle Malcher, director of education for IOUG and a DBA and team lead at a Chicago-based financial firm.
According to a recent survey of its members, only 37 percent of organizations patch their systems within the same three-month cycle that CPUs are released. Approximately 28 percent either take a year or more to patch, have never applied a CPU, or dont know how long it takes them to patch their databases.
Malcher believes there are a number of systematic steps that organizations can take to improve their processes. She recommends garnering executive buy-in with cooperation of DBAs and security team: Many DBAs are up against the wall with diminishing maintenance windows and uptime demands by management and application owners that make it near impossible for them to meet and still apply patches on schedule. She suggests that DBAs can make the sale for more breathing room with the help of a security team member who would be prepared to offer these line-of-business leaders the low-down on how much financial risk the company would be under if it chooses to forgo regular patching.
Something like that would be very helpful, Malcher says. Then you have buy-in across the board. Because when youre a DBA looking at 2,000 databases you have to patch, thats a pretty big task to take on, and if you had all the people in the room -- security and management -- saying, OK, we may not need to do quarterly patches, but weve decided to do semiannual patches or have each quarterly patch applied by the next month, thats a good start.
And wouldnt it be nice if you didnt have to always apply a patch every time a CPU is released? If you configure your databases properly, then you dont. By uninstalling database components that your organization doesnt use, youre not only reducing your attack surface for future threats, youre also lowering the number of moving parts that need fixing every time the Oracle team finds a vulnerability.
Honestly, the first step is not to necessarily install all of the components of the Oracle database if youre only using specific components, Malcher says.
She says the only good patching is regular patching, and without some sort of plan it is inevitable that databases will fall through the cracks. Organizations should choose a patch window theyre comfortable with based on their appetite for risk and their resources, and then set out procedures in advance that theyll be able to stick with once patches are released in order to meet their goals time line.
The plan should include how and when the patches should be tested, how the organization will choose which patches are rolled out first and how the organization will deal with patches that cause problems. When you have that process planned out, it is fairly straightforward for you to run through when CPUs are released, Malcher explains.
Testing patches before going live is critical in database environments that organizations depend on. DBAs must not forget that they should not only be testing how the patch reacts within a test environment when it is deployed, but also what happens when that patch is rolled back. This gives the organization a way out should there be a need for more troubleshooting if a live deployment doesnt work out.
There should be a simple back-out plan for CPUs, Malcher says. You should have a good tested backup and recovery plan for the databases and should test your roll-back plan during your testing of that patch so if something goes wrong you have a quick way to roll that patch back and continue on.
Malcher recommends leveraging Oracles documentation to prioritize patches, too. There once was a time when there was a real reason for DBAs disdain for Oracle patches, back before Oracle instituted its no-nonsense CPUs that only patched critical security errors and didnt try to monkey with anything else within the database. Now organizations can be assured theyre truly fixing things that really need to be patched.
But even within the CPUs, some fixes may be more important than others, depending on the install and the business environment. Malcher says that Oracle does a good job offering very thorough documentation of the risk level of each vulnerability fixed. The documentation provided from Oracle with the vulnerability scores basically shows which pieces of the database are affected, she says.
Organizations should prepare themselves by reading through the documentation and using it as a way to prioritize its patches, she adds.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Best Practices For Oracle And Database Patching