Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk Calculator for Oracle Critical Patch Updates

Re: Risk Calculator for Oracle Critical Patch Updates

From: Andre van Winssen <dreveewee_at_gmail.com>
Date: Mon, 26 Nov 2007 18:33:03 +0100
Message-ID: <9b46ac490711260933k40f0f9fcsd911d933c7ba6502@mail.gmail.com> 





Niall,



thanks for sharing. But what is a better way to come to agreement? In my
organisation it is difficult to get additional downtime for patching
something that hasn't led to (security) incidents yet. So what can we
database security focal points do, sit and wait until the security incidents
start happening or be optimistic and forget about cpu's altogether or until
regular maintenance cycle comes in?  CPU's are really hot potatoes in this
respect.



Indeed we have to agree first on *Environmental Score Metrics *and the *
thresholds* but once that is done it's pretty straightforward. What I want
to achieve is to get buy-in in advance from the businesses and dba managers
for when these tresholds are exceeded.



Skipping cpu's means that the score should go up as the nr of fixes missed
has increased. But how much..who knows?



If database security was only a nightmare I could forget about it after
waking up !



Regards,


Andre





2007/11/26, Niall Litchfield <niall.litchfield_at_gmail.com>:


>

> Well I'm one of those groups (dba and manager) and it seems to me that

> CVSS only really helps where the organisation doesn't have a basis for

> discussion already. In particular it's a little overstating the case to

> state that CVSS is objective given that it scores based on subjective

> judgements on a number of the core elements of the score (eg collateral

> damage potential). In addition it's difficult to see how to relate CVSS

> scores to dollar cost of implementing the fixes. Especially as the dollar

> cost may not be known - applying a cpu may require one or more application

> code updates and associated testing. So for example the Oct CPU score for my

> organisation I calculate as 5.9. Is that enough to delay a project

> promised before year end or not? That in the end can't be an objective

> decision. Suppose I decide it doesn't justify it, and go through a similar

> process with the next 2 CPUs (say they score 5.8 and 6.3). Does the fact

> of not having applied 2 previous CPUs affect how I use the score of 6.3 in

> 6 months time?

>

>

> --

> Niall Litchfield

> Oracle DBA

> http://www.orawin.info

>



--
http://www.freelists.org/webpage/oracle-l


Received on Mon Nov 26 2007 - 11:33:03 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US