The news comes in the same week as Oracle releases 27 fixes to various products that include the Oracle Database, Application Server, Collaborative Suite and E-Business Suite and Applications.
In the study, conducted by database security software firm Sentrigo, found most companies are not taking advantage of Oracle CPUs in a timely manner.
The study, which was conducted at US Oracle Users Group meetings, collected responses from 305 database administrators, consultants and developers from August 2007 to January 2008 across various cities where users met.
Just 31 people, or 10% of the respondents, reported that they applied what was then the most recently issued Oracle CPU and a whopping 206 out of 305, or 67.5%, said they had never applied any Oracle CPUs.
Sentrigo chief technology officer Slavik Markovich said the results were surprising to some and not to others.
“It is difficult to test and deploy updates without disrupting systems,” he said, adding that the IT security guys may not be quite aware of what is going on in the database side.
Markovich said he was under the impression that more people patch at least once a year.
“It’s a lot of work not just to check the database but you have to check the applications that are actually attached to the database,” he said. “And this can take a lot of time.”
Vice-president of marketing at the Woburn, MA-based company, Rani Osnat said not applying any CPUs shows a lack of understanding at least and a lack of action in terms of understanding what the database vulnerabilities means and what kind of risk they pose. “I think it has to be understood that patching is part of running a database responsibly.”
However Paul Davie, founder of Oxford, UK-based database security company Secerno, believes DBAs may believe that patching creates more problems than it solves. “Patching security holes is expensive; the database needs to be taken offline during the fixing process, often rendering the heart of the business out of action for a period time, and having an unknown impact on applications etc. The other problem is the need to regression-test prior to patching, to ensure the patch won’t break existing business processes.”
Sentrigo believes database security is simply not a major priority among IT security folks. “Most IT security people are more familiar with network security or operating systems,” Markovich said. “Still not doing anything is not an option.”