Imperva CTO criticises Oracle's patching process

Oracle is not dedicating sufficient resources to its patching process, and the process itself is slow, leaving vulnerabilities unsecured longer than is necessary, according to the CTO of a software security firm.

This week Oracle released its first critical security update of the year, which included fixes for 78 vulnerabilities.

Amichai Shulman, CTO of security firm Imperva, said he thought this figure was low given that Oracle has added its MySQL open-source relational database management system to the list of products affected by the patches.

He suggested that there could be a bottleneck in Oracle's patching process.

"If you were to introduce a new product, there should be more vulnerabilities [addressed overall], but this didn't happen. Could there be obstacles in the security and testing process?

"While introducing MySQL into the patch process is a good thing, it emphasises scalability problems. With the introduction of a new product, especially when it shows 27 fixes in this [release], you'd expect the number of overall patches to increase."

Shulman also expressed concern at the low number of patches addressing Oracle's database product, suggesting that at only two, the number seems unlikely to be covering all the potential vulnerabilities.

He is concerned that the additional workload brought about by adding MySQL to the list of products to be patched may mean vulnerabilities on other products are being left unresolved.

"Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process.

"This may be a consequence of adding the new MySQL product to the patching process."

Shulman said that Oracle should address this bottleneck.

"[Oracle] should fix this bottleneck, especially as it introduces new products and acquisitions continue."