You Still Stink At Patching Databases

Only about a fifth of organizations patch their databases within three months, and that number is unlikely to get better anytime soon, experts say
Last week's quarterly Critical Patch Update from Oracle fixed only one issue in the software giant's core database product, which is pretty fortuitous for most enterprises because even after years of warnings about it, database patch cycles still continue to lag. In fact, the numbers show that enterprises may actually be getting worse at patching databases rather than improving.

"Organizations still take about nine months to patch their databases, and the hackers need a few days whenever the patch comes out to design their attacks," says Rothacker, director of security research for Application Security Inc., who believes that if enterprises could do one thing to drastically improve their database security, it would be to pick up the pace on patching their databases. "The key thing is [to] speed up your patch cycle and whenever patches come out."

According to the most recent Independent Oracle Users Group survey released late last year, just 19 percent of organizations apply Oracle database patches to their systems before the next CPU is released by the firm. That figure is down by 10 percentage points from the previous year.

[How can classifying data help reduce risks in the cloud? See It's Classified: The Secret To Cloud Risk Management Success.]

"There is a full one-third that either don't apply the patches or are unaware of whether they are applied," wrote report author Joe McKendrick, analyst for Unisphere Research, who broke down the statistics to show that 11 percent of organizations take more than a year to patch or have never applied a patch to their databases, and 27 percent don't even know how long it takes to update their databases.

It's a disconcerting trend for data security experts like John Linkous, chief security and compliance officer at eIQnetworks, who, alongside Rothacker, considers database updates to be one of the most obvious ways to improve security around the database.

"Perhaps the easiest and most effective solution for securing databases -- installing vendor patches as quickly as possible -- will help to mitigate threats due to known vulnerabilities," he says.

But some database security pros say patching isn't as easy as it sounds.

"If you have thousands or even hundreds of databases, and Oracle releases a patch every quarter, then it's almost impossible for you to go each and every quarter, for each and every database that you have, and retest all your applications, actually apply the patch, and absorb that downtime," says Slavik Markovich, vice president and CTO of database security for McAfee.

As he explains, all of those difficulties are rendered even more impossible to surmount by enterprise dependencies on legacy databases.

"It's a very hard process," he says, "not to mention the fact that a lot of those databases are old, so they don't receive any security patches anymore."

As Markovic surmises, database patch cycles simply aren't going to improve "in the foreseeable future," which is why he believes organizations need to be more pragmatic about database security.

"Patching is still going to be a big problem, so you have a mitigating solution that provides a compensating control to protect your databases even though they are not patched," he says.

In the rush to pick up monitoring for checkbox compliance reasons, these kind of vulnerability and patch mitigation features are sometimes an overlooked facet of database activity monitoring technology. But they're usually available, so if an organization can't patch, they should be looking for workarounds to still reduce the attackable surface of the database, Rothacker agrees.

"Obviously, you can't always patch," he says. "So if you can't, make sure your activity monitoring is up to date with the latest signatures. Any of the database security vendors go and produce new signatures as soon as we can. We analyze those patches and try to get [mitigating measures] out as quickly as we can, sometimes even before a patch is released if our researchers were the ones to report the problem to the vendor."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.