oracle patching issues

A 3rd party recently conducted a penetration test/vulnerability assessment which included oracle database servers with an underlying AIX IBM OS. The results of the test showed a number of missing patches on both platforms and recommended the patch management process for this software was looked into.

Our DBA has informed us they only patch at the instruction of of the application developers (often external to the organisation). Claiming if they apply patches  the application and application DB could be negatively affected. But at the same time not patching as it could break something also leaves security holes to sensitive data.

So in such cases – where is the middle ground? What should the DBA do to demonstrate they have flagged this issue and are doing all they can to keep software up to data and secure?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnsoneSenior Oracle DBACommented:
There may be no middle ground.

I had a situation where we had a similar audit.  The third party software is run and tested with a certain set of database patches.  If you deviate from that set of patches, they will not support the software and you are on your own.  Software support for the products that run your company are pretty important.

In order to satisfy the audit, you should only need to tell the auditors that we have to keep the current patch levels to keep the support for the product.  You may need to produce a support agreement from the third party to show that.

The violation essentially becomes a risk that you have to take.

Depending on what the risk is, there may be other ways to mitigate it that the auditors will accept, but that is not always possible.  For example, if the risk is to external access, as long as the database server is on a network that has no external access, that should be a valid mitigation.  However, every auditor is different and they don't always accept that.

You are the one in control of your environment.  Not the auditors.  I have had auditors say that certain things needed to be changed, but if you did what they said, Oracle would not support the database anymore (and they publish Metalink articles to show that) and in some cases, the database would cease to function properly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slightwv (䄆 Netminder) Commented:
Even though you already accepted an answer I wanted to share my 2 cents:
Oracle is FAMOUS for introducing new bugs with their patches.  You can even undo previous patches with new ones if you have installed any one-off patches (not patchsets).

I've lived this one.  I installed a one-off to fix bugA.  Later found bugB and they had a patch for that.  Well, the patch for bugB didn't have the fix for bugA so I was in a bug loop until a patchset came out.

Here is what I've told our security folks when I've been told I'm behind in my patches:
I will install whatever patch you order me to install but I will NOT stay past my normal working hours to fix any bugs/problems they introduce.

In other words:  You all own the responsibility of me applying the patch.  I'll not work overtime or weekends to fix the problems YOU caused.

I never hear back from them.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.