Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle, still clueless about security

Steven J. Vaughan-Nichols | Aug. 26, 2015
Oracle's CSO has some wrongheaded notions about her area of expertise. What is the company doing about that?

oracle headquarters
Credit: Peter Kaminski, CC BY 2.0, via Wikimedia Commons

Oracle’s chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security “expertise in-house because security is a core element of software development and you cannot outsource it.” She continued, “Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?”

Oh. Wait. That’s what Davidson said in 2011!

What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to “proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD.”

Davidson’s blog post is one long rant that boils down to, “How dare people analyze Oracle code?” “I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’”

Because God forbid someone should find a security hole!

Oracle backed away from Davidson’s position in less than 24 hours. “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect.

But Oracle has not taken down Davidson’s 2011 rant, nor others. For example, in an earlier 2015 post, Davidson described security researchers outside Oracle’s Unbreakable walls as little more than greedy brats crying for attention:

A researcher first finds vulnerability in a widely-used library: the more widely-used, the better ... Next, the researcher comes up with a catchy name. You get extra points for it being an acronym for the nature of the vulnerability, such as SUCKS-Security Undermining of Critical Key Systems. Then, you put up a website (more points for cute animated creature dancing around and singing the SUCKS song). Add links so visitors can Order the T-shirt, Download the App, and Get a Free Bumper Sticker! Get a hash tag. Develop a Facebook page and ask your friends to Like your vulnerability. (I might be exaggerating, but not by much.) Now, sit back and wait for the uninformed public to regurgitate the headlines about "New Vulnerability SUCKS!" If you are a security researcher who dreamed up all the above, start planning your speaking engagements on how the world as we know it will end, because (wait for it), "Everything SUCKS.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.