Oracle Corp. should adopt a more stringent development process akin to that of Microsoft Corp. in order to deal with patch problems that have been plaguing the Santa Clara, Calif-based software and database management company, according to several security experts.
The United States Department of Homeland Security on January 11 advised computer uses to disable Java
plug-ins in their browsers due to a major vulnerability discovered by security researchers some two weeks earlier.
Java issued an emergency security patch to update Java 7 and stop the zero-day exploit. The patch, however, failed to prevent two new vulnerabilities which enable attackers to control computers using the software.
Oracle’s inability to decisively deal with the problem indicates that the company’s security policies are “broken” according to security experts interviewed by Computerworld.com. One of them said it illustrates that Oracle’s three-times-a-year Java patch does not adequately protect the software’s users.
The experts suggested that Oracle adopt something akin to Microsoft’s Security Development Lifecycle. The SDL involves regular code reviews during the development of a product and built-in practices to reduce vulnerabilities during the design phase.
Read the rest of the story here