'

Oracle defends security record

Oracle has shrugged off criticisms of its recent security record, saying that one of the company's biggest concerns is that its customers are so used to being secure that they are not used to applying patches.Hasan Rizvi, vice president of security products at Oracle, told ZDNet Australia  on Wednesday that unlike rival Microsoft, security has always been a high priority at the database maker.

Oracle has shrugged off criticisms of its recent security record, saying that one of the company's biggest concerns is that its customers are so used to being secure that they are not used to applying patches.

Hasan Rizvi, vice president of security products at Oracle, told ZDNet Australia  on Wednesday that unlike rival Microsoft, security has always been a high priority at the database maker.

"If you look at the overall track record of Oracle it is far better and is very strong compared to anyone else. What is different about us is that we have been doing [security] for so long that it is not as much of a news item.

"Microsoft declared that on a certain date that it is all about security. What do you say to that? We have been doing this all along," said Rizvi.

Rizvi also commented on a recent advisory published by analyst group Gartner, which claimed that Oracle could no longer be called a 'bastion of security' because of the sheer number of serious flaws that have recently been discovered in the company's products.

According to the advisory, which was published by Gartner analyst Rich Mogull in late January, "the range and seriousness of the vulnerabilities patched in this update cause us great concern.... Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur."

Oracle shares many problems with network hardware giant Cisco, according to Don Leatham, director of solutions and strategy at Patchlink, who explained that because databases and routers are part of the critical infrastructure administrators find it difficult to take the systems offline to update them.

"Typically, with databases, routers and switches, automation is not as important as reliability and uptime. It is very difficult for these departments to decide the risks of a system that typically hackers are not trying to exploit versus bringing the system down and making sure it is totally secure," said Leatham.

But Oracle's Rizivi argues that the company has developed automation tools to help customers apply fixes.

"In an IT environment there are lots of complexities and if you look at the Oracle software, people have to apply the patches -- we have delivered a lot of tools to make it more easy to do that.

"Our customers are so used to high security that when there is a vulnerability they don't apply the fix because they are not used to it, which is an interesting position to be in. People have to apply them and we can't do too much about that," said Rizivi.

Rizvi was adamant that despite the criticism, Oracle still leads the way when it comes to security.

"I think some of the problems are, ironically, because of our strong track record and [customers] don't take some of the processes to fix them seriously. Overall we are very proud of our security track record and I think that is still recognised by everybody," said Rizvi.