Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  

Oracle-on-Microsoft Shops Face Double Patching Delight
By Lisa Vaas

Patching systems is always painful, but Tuesday’s scenario of two major cumulative patch sets on the same day—from Oracle and Microsoft—is downright sadistic.

When will this patching madness end? Not soon. Although there’s a concerted effort on the part of ISVs to develop more secure code, analysts predict that it will take generations before this scrubbed-up, buttoned-down code catches up with the Swiss cheese that is legacy applications.


“The problems will only get worse, not better, anytime soon,” said Jon Oltsik, an analyst with Enterprise Strategy Group. “We’ll have more software, more integration, more functionality [and] new protocols, and all that stuff will, by its nature, be insecure out of the chute.”

If you’re running an Oracle Corp. database on top of a Microsoft Corp. platform, you have double the patching delight. A sizable number of people do indeed host that scenario, with Oracle being the No. 2 database to run on the Windows platform, right after Microsoft’s SQL Server database.

To ensure that patches don’t break anything, enterprises that have the resources and the ability to take their systems offline put patched systems into a testing environment. With regression testing, they replicate their production systems and run them through technical and financial transactions to ensure that production won’t grind to a halt because of a patch set.

It’s the safest way to go, and you’d think all enterprises would do it. “Those who test in production usually die by their methods,” said Mike Herald, a consultant at Pronto North America, an ISV that markets an ERP (enterprise resource planning) management system. “We’ve got the same issues with our products.”

Herald’s company learned the hard way that taking customers live on their software releases, without walking them through regression testing, translates into multiple nights of misery.

“I was in here working 10-hour days trying to repair the mess,” Herald said.

eWEEK.com Special Report: Database Security

Thanks to that learning experience, Pronto now declines to roll out software in live production environments. “We’ve since not done upgrades unless they name a project to the upgrade that dedicates resources, time and money,” he said. “In this case here, as a software company, it’s tough to say that, but we’ve come out and done that.”

PointerClick here to read about a fake Microsoft patch that triggered a virus attack.

Still, plenty of businesses forgo testing, given the laundry list of resources and the breathing room for system downtime that it requires. After all, enterprises need adequate space in server boxes to replicate their environments. They need manpower. They need to plan, coordinate and time potential disruption phases when the system can be down.

Herald’s wife, for example, who works as a project manager at another company, turned down Oracle’s April patch set because her employer didn’t make the necessary resources available to test the system outside the production environment.

“They basically turned down a patch set to 10g for one of the applications they were running, because a) they didn’t have the resources to provide a separate test instance, and b) they weren’t willing to take the risk to what the patch test would do to what they had in production,” Herald said.

“She, as project manager, said to the business, and to IS, ‘We’re not going to do it, not on my watch. You can’t give me the dedicated resources, both computer and people, to thoroughly test the patch set.'”

After all, Herald said, at least his wife’s employer had been living with the broken application. “What you don’t want is for it to break something else,” he said.

eWEEK.com Special Report: Keeping Pace with Microsoft's Patches

As far as testing the Microsoft-Oracle duo, Oltsik’s advice is to first test the platform—i.e., Windows—for two reasons. First, the application is only as stable as the platform on which it sits. And second, there are by far more attacks launched against Microsoft than against Oracle.

Regarding Oracle flaws, Oltsik recommends prioritizing patching according to severity. That’s not always an easy task, given the limited amount of information on severity that ISVs such as Oracle include in their alerts, and thus it requires digging into third-party sites that rate severity.

Also, Oltsik recommends keeping an eye on those who have access to the database. “I would … make sure anyone with access to the database is monitored, because they’re the most likely to go in and exploit those vulnerabilities,” he said.

For those shops doing any Oracle communications over the Internet, make sure the perimeter is secure as well. “[You don’t want to] poke a hole in the firewall that lets people over the Internet find my Oracle servers,” Oltsik said.

PointerCheck out eWEEK.com’s Database Center for the latest database news, reviews and analysis.



Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>

SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>

Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>

Changing Business for the Better: A Practical Guide to BPM

This paper provides an overview of the benefits of BPM technologies and identifies the characteristics of BPM solutions that lead to successful BPM process-centric integration projects.

Download this free white paper to learn more!

>> brought to you by IBM

Attention Microsoft Solution Providers!

Want to gain a competitive edge? Try Microsoft Watch – FREE!

Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly

    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
  • Add up to $1,200 of value with the new BONUS PACKS.
  • HP PartnerONE: The key to increasing your margins.
  • HP Compaq nc6129 Business Notebook. $1149 Smart Buy
  • HP xw8200 workstation. Smart Buy price $1549.
  • ProLiant DL360G4p server: HP Smart Buy price $1647
  • Microsoft files new anti-piracy lawsuits. Learn more.
  • New offers with Windows Genuine Advantage.

    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Stay in the Zone
    Put The Channel Insider on your desktop.
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:

    view all newsletters >>
    Channel Insider Quick Links
    Ziff Davis Footer Logo