A 3rd party recently conducted a penetration test/vulnerability assessment which included oracle database servers with an underlying AIX IBM OS. The results of the test showed a number of missing patches on both platforms and recommended the patch management process for this software was looked into.
Our DBA has informed us they only patch at the instruction of of the application developers (often external to the organisation). Claiming if they apply patches the application and application DB could be negatively affected. But at the same time not patching as it could break something also leaves security holes to sensitive data.
So in such cases – where is the middle ground? What should the DBA do to demonstrate they have flagged this issue and are doing all they can to keep software up to data and secure?