Oracle needs to improve patch management, an area where it's currently lagging five years behind Microsoft, according to database expert Karel Miko at Czech consultancy DCIT.
"When Microsoft announced Trustworthy Computing a lot of people laughed, but now you see a real difference," said Miko, who spoke at the European Computer Audit Control and Security Conference in Stockholm.
"I don't like Microsoft, but Oracle definitely has something to learn," he said.
Microsoft offers central patch management tools that allow customers to see what patches are missing and so on, whereas Oracle doesn't.
Oracle also doesn't make life easier for companies who want to keep their databases secure, according to Miko, making it complex to download and install patches.
It also has a strange approach to new vulnerabilities, he said.
"An independent consultant announces a vulnerability to Oracle. Three months go by, and nothing happens, six months, a year and still nothing. Oracle puts it in a queue and will solve it sometime, maybe," said Miko.
If customers put pressure on Oracle it might be prompted to improve, but Miko isn't holding his breath.
"Customers are very dependent on Oracle -- its database is number one. If you have an application based on an Oracle's database there is no way to change, in maybe 90 per cent of all cases," he said.
Databases are one of the hottest topics at EuroCacs; no other product category has more sessions.
That's good because database security is lagging behind. Even though Oracle has been adding new security features customers aren't taking advantage of them.
"To be honest a lot of companies aren't even using the basic stuff that has been there since version 8," said Miko.
In the end database security is all about people.
"In my experience even some small enterprises have better administrators than large banks, and do a better job," said Miko.