Security expert calls for Oracle makeover

Poor patching process prompts calls for sweeping changes at enterprise giant

A UK security expert has called for change in Oracle’s security strategy, including the removal of the firm’s chief security officer.

David Litchfield of NGS Software had a public dispute with Oracle over its attitude towards patching early this year over what he said was a “very, very serious” problem with an Oracle database component called PL/SQL Gateway. That problem was patched in the Oracle Critical Patch Update posted on Tuesday but Litchfield and others still insist Oracle needs to do more to fix security issues.

“The blame falls squarely on [Oracle chief security officer] Mary Ann Davidson,” he said. “Her policies have failed and it’s time for her to move on. Microsoft understood a long time ago what the problems were and now everything is fine.”

Both Litchfield and fellow security researcher Alexander Kornbrust of Red Database Security said Oracle could take a lead from Microsoft and work more closely with security experts. Both also said Oracle has a problem with the quality of the patches themselves, although neither had any issues with the company's quarterly release schedule for updates.

“I’m happy with the quarterly cycle providing they get the patch right first time,” Litchfield said. “The most important thing is that people have the confidence to install the patches.”

Kornbrust said Oracle regards security researchers as “enemies” and that it made “stupid” errors in its patches.

Oracle declined to comment directly but reiterated past statements that it “patches security vulnerabilities in severity order with the most severe vulnerabilities being patched before less severe vulnerabilities”.