Iain Saunderson | CTO
This is the second installment in our five-part series that addresses some of the most frequently asked questions we hear from those who doubt the value of third-party Oracle software support. The response is taken from “The Skeptics Guide to Oracle Third-Party Support,” a complimentary resource available for you to download.
Question: “How can you protect my applications without Oracle security patches?”
Perhaps the most common concern of skeptics is security because Oracle will not provide security patches to customers who cancel support. We are asked whether we have the ability to provide adequate software and application security.
Oracle says we cannot because only it can access the source code and find and address existing bugs or vulnerabilities within its own software. While this argument is true concerning the code, it is misleading at best concerning overall protection.
In fact, proper security is multi-layered and complex, and not a reactive, one-size fits all patching model. Spinnaker Support deploys a Seven-Point Security Solution (described below) that allows us to personalize our approach to protecting your unique environment. Here is why this is better than patching.
First, patches are far from perfect.
Oracle delivers security patches quarterly to address critical vulnerability exposures (CVEs). These Critical Patch Updates (CPUs) have issues themselves: they are reactive, expensive to implement, block only known threats, come well after a vulnerability has been actively exploited or discovered, and may not be successful.
For the twelve months of patches between 2Q19 to 1Q20, 22 of the 67 Database patches (33%) were repeats of previous patches going back to 2016 that did not originally fix the issue. Let’s repeat that: the vulnerabilities were not fixed, so the original Oracle patches needed patches.
Second, patching is not always deployed well.
While it’s best practice to deploy patches in a timely manner, many businesses fall behind or make the decision not to do it. Patching using Oracle’s CVE approach can be costly, involve time-consuming testing, and often result in unintended consequences, like issues with performance degradation.
You should know where your IT and security teams stand on this practice. Have they installed the latest CPUs? We often discover that the users who are most adamant about remaining on Oracle-provided support are not actively applying patches in a timely manner that would be beneficial– they simply like the idea that patches are available if needed. This defeats the entire purpose of patching!
That is why Defense in Depth is more effective.
Vulnerabilities and exposures now come from a variety of external and internal sources, so effective security must be multi-layered and address the full technical stack. True security is a process, not a patch.
Spinnaker Support’s global security team offers to a Seven-Point Security Solution that covers the core security concepts of Discover, Harden, and Protect. It comes standard with our third-party support contract at no extra cost.
This approach combines timely recommendations, configuration changes, or other operational workarounds to remediate any security issues you encounter (we call these “compensating controls”). The security solution can include external products for virtual patching, intrusion detection, and prevention services like proactive monitoring.
Does this approach work? When we recently surveyed our customers on this topic, over 98% of respondents indicated that our security and vulnerability protection is at least as good or better than that delivered by the publisher. i
Important Note: Oracle does not provide patches for versions on its Sustaining Support. Security concerns don’t lessen when Oracle decides to strip you of patches, so moving from Sustaining Support to our third-party Oracle support is a clear win for your security efforts.
Download the Complete Skeptics Guide
The above response is an excerpt from “The Skeptics Guide to Oracle Third-Party Support,” a resource that addresses 15 of the most frequently asked questions we hear from prospective customers – ones that you may have as well. Throughout the guide, we offer recommendations and links to other resources to help you determine if third-party Oracle support is a good fit for your organization.
Skeptics are direct people who want direct answers, so this guide presents straightforward, honest, and fact-based explanations. If you’re a skeptic of third-party Oracle support, then this guide is for you. If you’re not one yourself but have one or more on your team, then this guide can be a powerful tool to help you to win them over.