* Ryan Naraine is traveling.
Guest editorial by Slavik Markovich
Why are people not patching? There many legitimate reasons.
Application certification, for example, is a real obstacle. Enterprises have applications running on top of the database, and those applications are only certified for a specific version and release of the database. Patch the database, and any problems caused in the application are not covered in your maintenance agreement.
[ SEE: Rothman: Breaking the zero-day habit ]
Database downtime, on the other hand, has a cost of business interruption and labor which should be weighed against the benefit of patching – i.e. the reduction in risk. The same is true for staffing constraints: If you consider the risk of not patching frequently intolerable to your business, you would find the personnel to handle it, but if you feel the risk does not outweigh the cost, you could resign yourself to patching less frequently.
The issue is that few organizations actually take this as a calculated risk. Rather, they just can’t manage the mammoth patching process and cross their fingers. So not only are most organizations not “doing the right thing” – they’re hardly doing anything.
I’ll go out on a limb here and say this: Telling organizations that they must apply all patches as soon as those come out when reality is that it is not feasible, not practical or not cost-effective to do so, is like telling Paris Hilton she should get a PhD in Philosophy. It’s just not going to happen no matter what you say.
It's time to think of patching in a different way. We need a feasible, repeatable framework that would enable each organization to patch as much as possible whilst optimizing cost vs. risk reduction.
[ SEE: Oracle ships emergency workaround for zero-day flaw ]
I would suggest taking the following steps:
I believe that taking such steps can simplify the patching conundrum and reduce the bulk of the risk, which many organizations are taking blindly at the present.
* Slavik Markovich is the co-founder and CTO at Sentrigo. He is a renowned authority on Oracle and JAVA/JavaEE technologies, has contributed to open source projects such as Spring Framework Toplink integration (later incorporated by Oracle), and is a regular speaker at industry conferences.