In a recent engagement, Litchfield was able to reduce the number of JSPs from the default of about 15000 to fewer than 200 - a reduction of 99.99%. This can be done by looking at access logs and JSPs that are requested by other components.
Similarly, he was able to reduce the number of servlets from 80 to two. And the number of PL/SQL packages was reduced from 700 to six. These changes resulted in a significant reduction of the software's attack surface.
During the Q and A after his presentation, Litchfield noted that SQL Server is a far more secure platform. His personal opinion was that SQL Server is far more secure although it may not be as feature rich.Also, while patching is occurring, many organisations are holding back on patching in order to wait for any flaws in the patch to be identified. In many cases, companies are working one patch cycle behind what's being released by Oracle.
Source: CSO Australia
Sign up for CIO Asia eNewsletters.