Unpatched Holes Keep Adding
Even more troubling, Argeniss researchers are finding known, unpatched holes stretching from Oracle's older 8i database through its latest 10g release, he said.
Davidson acknowledged that the company has a backlog of unpatched holes, though she disputed the numbers of holes quoted by researchers.
However, she attributed the build up in patches to the company's shift to the quarterly CPU system, in which Oracle releases a large number of patches on a predetermined date each quarter.
According to Davidson, Oracle moved into the new quarterly CPU release schedule slowly and conservatively, causing the number of unfixed vulnerabilities to rise.
Starting in October, Oracle will "substantially increase" the number of fixes it releases each quarter to try to work through the backlog, she said.
Davidson has also taken a public stand against researchers like Litchfield and Kornbrust, who she says exaggerate the dimensions of security problems to get attention and expose innocent customers to unnecessary danger by revealing product holes.
"Good news doesn't sell," Davidson said, in response to a question about Litchfield's criticism of the OPatch utility.
While she acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren't privy to the 75 percent of product holes that Oracle discovers and fixes internally.
Outsiders also underestimate the difficulty of transferring fixes to the different platforms and product versions that Oracle supports.
Davidson cited internal measurements that the company has reduced the time and expense of applying patches by 60 to 80 percent between the April and July CPUs, and that the company is receiving far fewer support calls following a patch release.
But those outside the company worry that Oracle has not embraced security as whole-heartedly as Microsoft, which has developed company-wide systems, processes and architectures for improving the security of its products.
"From an architectural standpoint, Microsoft is ahead," said Jon Oltsik, a senior analyst at Enterprise Strategy Group, in Milford, Mass.
"Oracle is doing a good job of addressing security in its products, but they haven't figured out how security fits into their internal processes and overall architecture," he said.
Despite its reputation as a security basket case, Microsoft has embraced software security as a central tenant, and has developed a consistent architecture for user authentication and access control, as well as product patch creation and distribution, he said.
Technologies like Active Directory and the Kerberos network authentication protocol are used consistently throughout Microsoft's product suite, whereas Oracle products frequently use different technologies for access control and user management.
"Right now, Microsoft has a better story on that," Oltsik said. The story is similar with product updates, though Oracle has made strides to streamline patch distribution with its CPU program, experts agree.
Next Page: Can developers be relied on to test security?