Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk Calculator for Oracle Critical Patch Updates

Re: Risk Calculator for Oracle Critical Patch Updates

From: Andre van Winssen <dreveewee_at_gmail.com>
Date: Mon, 26 Nov 2007 18:33:03 +0100
Message-ID: <9b46ac490711260933k40f0f9fcsd911d933c7ba6502@mail.gmail.com>


Niall,

thanks for sharing. But what is a better way to come to agreement? In my organisation it is difficult to get additional downtime for patching something that hasn't led to (security) incidents yet. So what can we database security focal points do, sit and wait until the security incidents start happening or be optimistic and forget about cpu's altogether or until regular maintenance cycle comes in? CPU's are really hot potatoes in this respect.

Indeed we have to agree first on *Environmental Score Metrics *and the * thresholds* but once that is done it's pretty straightforward. What I want to achieve is to get buy-in in advance from the businesses and dba managers for when these tresholds are exceeded.

Skipping cpu's means that the score should go up as the nr of fixes missed has increased. But how much..who knows?

If database security was only a nightmare I could forget about it after waking up !

Regards,
Andre

2007/11/26, Niall Litchfield <niall.litchfield_at_gmail.com>:
>
> Well I'm one of those groups (dba and manager) and it seems to me that
> CVSS only really helps where the organisation doesn't have a basis for
> discussion already. In particular it's a little overstating the case to
> state that CVSS is objective given that it scores based on subjective
> judgements on a number of the core elements of the score (eg collateral
> damage potential). In addition it's difficult to see how to relate CVSS
> scores to dollar cost of implementing the fixes. Especially as the dollar
> cost may not be known - applying a cpu may require one or more application
> code updates and associated testing. So for example the Oct CPU score for my
> organisation I calculate as 5.9. Is that enough to delay a project
> promised before year end or not? That in the end can't be an objective
> decision. Suppose I decide it doesn't justify it, and go through a similar
> process with the next 2 CPUs (say they score 5.8 and 6.3). Does the fact
> of not having applied 2 previous CPUs affect how I use the score of 6.3 in
> 6 months time?
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
>

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Nov 26 2007 - 11:33:03 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US