FRAMINGHAM (09/26/2003) - This week's announcement by the U.S. Department of Energy that it will require Oracle Corp. to deliver software that's configured for optimal security and then provide immediate postdeployment support for security patches may signal the beginning of a dramatically different security model for the government and industry, security experts said.
The potential shift stems from the government's push to use a new security configuration benchmark developed by the Center for Internet Security (CIS) to test and certify Oracle database versions 8i and 9i running on Windows and Unix.
The benchmark, developed with dozens of Oracle software users and the SANS Institute through the CIS, will be available to anyone, free of charge, at the CIS Web site.
"Oracle not only agreed to deliver a safely configured system but also to deliver hot fixes and patches automatically and to ensure that none of those fixes undoes the security settings," said Alan Paller, director of research at the Bethesda, Md.-based SANS Institute. This solves two huge problems for software buyers, said Paller, because they will no longer have to search for patches and they will no longer have to test patches to determine whether they would unravel other key security settings.
In fact, the DOE will now receive data on bugs and fixes through an internal, Oracle-run automated bug-tracking system. Through this system, the company will automatically deliver patches to a central server at the DOE.
The agency signed a separate contract with Sunnyvale, Calif.-based Opsware Inc. to ensure that every DOE system has the most up-to-date configuration of Oracle software, thereby enabling patches to proliferate automatically throughout the network.
Tim Hoechst, Oracle's senior vice president of technology for government, education and health care, said the release of the CIS-developed Oracle benchmark in conjunction with the DOE contract is designed to ensure that customers configure their software properly so they can take full advantage of the security features.
"We're not just throwing the locks over the fence -- we're climbing over the fence with our locks," he said. "Designing our products with secure functionality does not necessarily mean our customers take advantage of that functionality. What this does is produce guidelines for how to best use the technology."
Clint Kreitner, president and CEO of CIS, said that until now, much of the focus has been on influencing operating system vendors to improve security and support.
The next phase, heralded by the Oracle benchmark, is to focus on application vendors, he said. "People don't buy computers around operating systems," Kreitner said. "They buy them around applications." The DOE's contract with Oracle is something other agencies and companies should consider emulating, he added.