Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle, still clueless about security

Steven J. Vaughan-Nichols | Aug. 26, 2015
Oracle's CSO has some wrongheaded notions about her area of expertise. What is the company doing about that?

This is so much horse-pucky.

Yes, people want to make money and gain fame by finding and revealing security holes. Is that such a bad thing? It’s certainly better than, say, finding a security hole and then exploiting it, isn’t it? I think so.

Davidson also seems stuck in the dark ages of security. She believes in security by obscurity.

In 2012, for example, Davidson lambasted the Payment Card Industry Security (PCI) Standards Council for requiring “vendors to disclose (dare we say ‘tell all?’) to PCI any known security vulnerabilities and associated security breaches.” Or, as she put it more succinctly, “tell your customers that you have to rat them out to PCI.”

She added, just to make it perfectly clear where she’s coming from, that information on security vulnerabilities at Oracle is on a “need to know” basis.

Perhaps Davidson’s extreme reactionary stance comes from the fact that David Litchfield, the famed U.K. security expert, has made a career of hacking Oracle database software. Back in 2005, Litchfield, who reverse-engineers Oracle code to find its vulnerabilities, said, “It is my belief that the CSO [Davidson] has categorically failed. Oracle security has stagnated under her leadership and it’s time for change.”

Ten years later, people like Davidson who believe that keeping code closed and proprietary is a good thing have grown far fewer in number. Even Microsoft has gotten the open-source message.

Who loves Linux? Microsoft CEO Satya Nadella loves Linux.

Oracle with Linux and MySQL gets open source too. But Davidson? Not so much.

One of open source’s tenets is Linus’s Law: “Given enough eyeballs, all bugs are shallow.” Davidson, with her naked contempt for anyone who examines Oracle’s code, appears to be out of step with Oracle and the open-source method.

Or, is she?

It’s not as if Davidson is saying anything new. She’s been making juvenile attacks — I mean what’s a chief anything officer doing saying “suck” over and over again? — for years now. She’s been Oracle’s CSO for 15 years, and Oracle still lets her babble to the public without any control. Larry Ellison, if no one else, clearly thinks she’s doing a great job.

I don’t pretend to understand what’s going on inside Oracle. People at Oracle who talk to reporters don’t tend to keep their jobs for very long.

From the outside looking in, I see a company that both embraces and rejects the open-source method. That second part is not healthy for its products’ security. And, in the long run, it’s not healthy for Oracle’s future as a company.

Back in 2006, Davidson said, her “goal is to be out of a job.” Maybe it’s time for Oracle to take her up on that offer.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.