I've been looking at Oracle database security recently and one of the things I've come across has really surprised me.
Oracle release a free (as in beer) version of their database product Oracle 10g XE
To quote their product page
...Oracle Database XE is a great starter database for:
* Developers working on PHP, Java, .NET, XML, and Open Source applications
* DBAs who need a free, starter database for training and deployment
* Independent Software Vendors (ISVs) and hardware vendors who want a starter database to distribute free of charge
* Educational institutions and students who need a free database for their curriculum

Yeah apart from one small problem. There are No security patches available for this product !
So if you download and use this product in your open source application as described you're going to be left with a seriously insecure database given the number of vulnerabilities in Oracle 10GR2 which have been patched in the main product and not in this one.
Now according to Pete Finnigan Oracle are meant to be releasing updated versions of the database with security patches applied, but that doesn't seem to be happening on a regular basis (really it should be quarterly to keep up to date with the main product)
So if you're looking for a database for your new open source app. I'd think very carefully before using this one free or not!


Security Geek, Kubernetes, Docker, Ruby, Hillwalking