Oracle to better explain future patches

With Oracle set to release the year's final vulnerability fix on Tuesday, the database vendor now is making it easier for security professionals to understand the extent of the flaws being corrected.

At the urging of Oracle customers, the quarterly critical patch updates (CPUs) now will include documentation that more clearly explains the issues at hand, Eric Maurice, security manager in Oracle's Global Technology Business Unit, said in a Wednesday blog post.

Specifically, the updates will use the Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable and include a "high-level" overview of each defect and fix - similar to Microsoft's monthly security bulletins.

The initiative signals Oracle's deepening commitment toward better security in light of recent criticism.

"One of the key challenges security professionals face when they receive a vendor-issued security patch is to assess the criticality of the underlying vulnerability," Maurice said. "This assessment is critical when deciding the priority and timing of the patch in light of the risk created by the vulnerability and the organization's business requirements."

With each CPU, Oracle will include an executive summary that "will provide a plain English explanation of the vulnerabilities" that can be used "to brief executive management and other non-IT groups on the nature of the defects being patched."

Some security professionals have complained of the size of recent Oracle CPUs. In its latest update in July, the company released 65 fixes for various versions of Oracle Database, Database Client, Application Server, Collaboration Suite, E-Business Suite and Applications, Enterprise Management, JD Edwards and PeopleSoft.

In April, Oracle remedied 36 flaws, which was preceded by an 82-vulnerability fix in January and an 80-bug patch release the prior October. Following the January fix, a Gartner analyst slammed Oracle saying it could no longer be considered "a bastion of security."

Ron Ben-Natan, CTO of database security firm Guardium, said the new features reflect Oracle's growing committment to security.

"Oracle has always had a legacy of security," he told SCMagazine.com today. "They've always put stress on security, but they've also had some issues in the last couple of years. I think this is a very natural thing to do. It will make things more usable for their customers. I think it's important for Oracle to be doing this."

He said the Redwood Shores, Calif.-based Oracle, among other vendors, are beginning to value security investment and learning that it serves as a competitive advantage.

Click here to email Dan Kaplan.

Sign up to our newsletters