How many DBAs install security patches for databases?

Recently, the largest database technology community in China launched an interesting survey, "How many DBAs will patch the database ?", The findings are worrying and reflect the harm of Oracle database security patches.

498) this. style. width = 498; "border = 0>

The survey shows that the number of users who have never been patched is as high as 35.71%, and the number of users who occasionally make a patch is 57.14%. The total amount of data for these two patches has exceeded 90%. According to the Oracle patch release cycle, users who patch each quarter account for 7.14%.

The entire investigation is similar to that of DBA outside China. Most DBAs are neglected to update database patches, which may lead to insufficient awareness of security issues.

It is understood that the following two situations may prompt users to install patches in a timely manner. First, Oracle officially issued a high-level and serious security warning; second, the database operation has been affected by the failure to install patches in a timely manner. Otherwise, the general patch update information will not attract DBA's attention.

Flybuffer, a netizen, said in the discussion post that if it is an intranet database, it is generally not patched unless it is found that system vulnerabilities have affected the operation of the database. In any case, our unit database has never been patched.

In addition, the Oracle patch itself poses a security threat to production databases, which is also an important factor for DBAs who are reluctant to update patches. a dba who participated in the investigation told reporters that "a patch was installed once before, it's a bit of a problem with the development library. It's a bit uncomfortable, but it's just a development library. Therefore, I usually only install all the patches before the database is installed. Once it is put into development or production operations, it will rarely happen again ."

It is understood that most DBAs are unable to undertake the heavy test work after the patch is updated. Strictly speaking, after the database is installed with the patch, it must undergo thorough tests before it can be launched for operation. Even so, A potential problem may not be detected in time, which has a great impact on the production database. The time and risk costs caused by these problems are too high for DBAs.

Oracle Security Patch acquisition

In fact, there are a huge group of people who do not patch because they cannot get these database bugs to fix.Software. You must have a Metalink account to download security patches. If you have not purchased expensive services, you cannot obtain these updates.

This is a strange logic. You have spent money to buy a defective product. If the vendor fixes this defect, you need to spend money to repair the defect.

According to your license agreement and Oracle support level, you may have to pay tens of thousands of dollars of technical support fee to Oracle each year. Many managers have misunderstood the scope of Oracle technical support, many people have not yet figured out what Oracle technical support actually includes.

Oracle provides support in different scopes, from on-site Oracle Support (Gold Medal support) to slightly inferior silver support, to Bronze support, the support for "gold, silver, and copper" belongs to the "Metal" level, and all of them need to access Oracle MetaLink.

MetaLink provides support in three fields:

Basic diagnostics: Helps explain error codes and dump files.

Bug solving: Oracle software engineers help fix bugs together.

Remedy: assists in locating the workspace or patches for unknown issues.

This "support" does not include other support services, such as patching, software customization, or hands-on primary DBA. Of course, Oracle does not provide remote consulting services, if you need their remote consulting service fee of no less than $500 per hour, some experts believe that Oracle has intentionally increased the quote of the consulting service, which can prevent some customers from relying too much on Oracle technical support, instead of hiring a full-time DBA.

Even worse, many customers who have purchased the Technical Support Service are not satisfied with Oracle technical support. The value of Oracle technical support has long been widely questioned at home and abroad. Therefore, a large number of enterprises have lost the Technical Support Services of Oracle manufacturers and are more inclined to seek technical support from experts. However, when you terminate Oracle Support, you lose the right to obtain patches and upgrades, A strange circle is like this.

I wonder whether the number of losses caused by the failure to update patches on time on the Oracle database has been measured by people around the world? Can these situations cause the Oracle service department to think deeply?