One of the themes the HEUG and the Technical Advisory Group have focused on over the past year, is life cycle management of PeopleSoft (PS) applications. This is one in a series of blog posts dedicated to the subject of effectively managing the security of our PS apps within the annual maintenance structure. Specifically, I thought it was time that we give some focused attention to the subject of Oracle's Critical Patch Updates program (known as CPU).
A CPU patch is typically a collection of security fixes resolving vulnerabilities that have been verified by Oracle. As stated on Oracle's website at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates, CPUs are the primary means Oracle uses to release security fixes to Oracle customers. Furthermore, in many cases, this practice offers customers a way to proactively implement security improvements delivered by one of our primary vendors.
For those of you new to the Oracle family or less familiar with security aspects of your PeopleSoft applications, it may come as a surprise to you that CPUs are delivered on a quarterly basis on pre-defined dates. This means that we as Oracle customers can and should plan to incorporate these quarterly updates into our annual maintenance strategy. Just like regulatory requirements or tax updates, CPUs should be rigorously reviewed and subsequently implemented in a timely fashion. We wouldn't think of skipping a Tax Update - we recognize they're critical to running our business. I suggest we treat CPUs the same way.
Sometimes I wonder if we as customers might not get a bit lazy about applying certain types of maintenance patches. Maybe it's because of competing priorities or because we don't know exactly what we're solving by going through the effort. I've spoken directly with many of you this subject and believe that as an industry, we can step up our game here. In my day job, as the Chief Information Security Officer for ASU, I find myself focusing on these issues constantly. I am all too familiar with the vast number of vulnerabilities that every company and every institution faces every day. For any of you who find yourself in an organization that falls behind on this type of maintenance, I invite you to consider this idea. CPUs are the results of Oracle's Ongoing Security Assurance effort and a way of communicating on a routine basis that there are security bugs in the applications (either as a result of coding flaws or newly discovered vulnerabilities and attacks) that are now resolved. In large part, Oracle has done the hard part (by producing the fixes, ensuring they provide effective mitigation, and ensuring they do not cause regressions). It's our job to take these security improvements across the finish line by applying these security patches in a timely fashion.
CPU release dates are posted in advance and, as a matter of example, the quarterly update scheduled for delivery next Tuesday January 18th, 2011 has pre-release information posted on the Oracle CPU site. It's located here http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html.
As you plan your maintenance for 2011, keep in mind that Oracle release dates for CPUs a year in advance. The 2011 release dates announced on Oracle's site include:
* 18 January 2011
* 19 April 2011
* 19 July 2011
* 18 October 2011
As we ring in the new year, I'd like to invite each of you to consider taking a rigorous approach to planning, reviewing and implementing this critical component of application maintenance. Oracle has posted a technical white paper “Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture” located at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf, which explains among other things how to interpret the risk matrices in the CPU Advisories to make proper patching decisions and some of the approaches that various organizations can take from a security patching perspective. As security requirements continue to play more important roles in our overall IT strategies, we should take full advantage of our vendor partnerships and leverage the security solutions they offer us.
For more information about Oracle Software Security Assurance programs, see http://www.oracle.com/us/support/assurance/index.html.