According to Shulman, some security researchers who have submitted notice of several vulnerabilities to Oracle are waiting to hear back from the company. "I really would like to think that they are getting better with their product, but honestly, that's not it," he said.
Stephen Kost, chief technology officer at security vendor Integrigy, noted that IT managers must also deal with Oracle's continuing reluctance to release full details of the flaws it is patching. Unlike Microsoft and other vendors, which release detailed information on each flaw and their patches, Oracle simply releases patches and offers little data on the flaws.
"One piece of information that Oracle does not release is what should be tested when I apply the patch," Kost said. "What should I be testing from a functional perspective; what might I break? Right now I don't know,"
According to Kost, while most of the flaws in Oracle's core database may have been addressed in recent security updates, the number of flaws in ancillary technologies such as Oracle Database Vault and Oracle Audit Vault are not quickly patched. "Products that are supporting the Oracle database are the places where you find problems. That doesn't lessen the risk," but just moves it to another place, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Topic Center.