Next Tuesday, 16th January 2007, Oracle will issue 52 critical patches. It’s clearly a great leap forward for database vulnerability management. But it also illustrates the size of our security exposure at the application level. Any company that relies on database security measures to safeguard critical business processes or sensitive personal data should be very afraid. The security threat landscape is now focused on espionage and data theft. Efficient patching will not be sufficient. We need a step change in the application of good security practices throughout the system development cycle. And we need to take steps to secure our intrinsically insecure legacy systems. Organizations should not simply wait for the next set of fixes to known vulnerabilities. They should identify their critical applications, assess the security risks associated with them and immediately apply additional security measures to prevent external and internal attempts to exploit potential weaknesses. There is plenty of affordable security technology on the market to help with this. So there’s no longer any technical excuse for not keeping your critical and sensitive data under control.