Oracle Corp. should adopt a more stringent development process akin to that of Microsoft Corp. in order to deal with patch problems that have been plaguing the Santa Clara, Calif-based software and database management company, according to several security experts.
Java issued an emergency security patch to update Java 7 and stop the zero-day exploit. The patch, however, failed to prevent two new vulnerabilities which enable attackers to control computers using the software.
Java patch problems remain says researchers
U.S. says Java should be disabled
Malware targets Java HTTP servers
Oracle’s inability to decisively deal with the problem indicates that the company’s security policies are “broken” according to security experts interviewed by Computerworld.com. One of them said it illustrates that Oracle’s three-times-a-year Java patch does not adequately protect the software’s users.
The experts suggested that Oracle adopt something akin to Microsoft’s Security Development Lifecycle. The SDL involves regular code reviews during the development of a product and built-in practices to reduce vulnerabilities during the design phase.