Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security industry reacts to Oracle's CSO missive

George V. Hulme | Aug. 14, 2015
In case there existed any previous questions regarding how Oracle's chief security officer, Mary Ann Davidson, felt about its customers uncovering software vulnerabilities in its applications, they were laid to rest yesterday in a strongly worded blog post, No, You Really Can't. The post, swiftly pulled by Oracle, apparently held nothing back when it came to her views that under no circumstances should customers, or their hired security researchers, evaluate Oracle source code for potential security flaws.

For software security assurances, Davidson advised enterprises to talk to their software suppliers about their assurance programs and to also check for certifications such as Common Criteria certifications or FIPS-140. "Most vendors -- at least, most of the large-ish ones I know -- have fairly robust assurance programs now (we know this because we all compare notes at conferences). That's all well and good, is appropriate customer due diligence and stops well short of "hey, I think I will do the vendor's job for him/her/it and look for problems in source code myself," she wrote.

To say that the post resulted in a strong industry backlash would be an understatement. Oracle distanced itself from Davidson's opinions in its statement distributed to the press. "The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers," Oracle executive vice president and chief corporate architect Edward Screven said in the statement.

"It's incredibly arrogant for Oracle to suppose that they have all the answers and that their IP protections are sufficient and proper to guard against bad guys hacking your organization," said *Jonathan Feldman*, CIO at the city of Asheville, N.C. "We know it's stupid. It's not like we have one year of data. Or five. We have at least 20 years of experience saying that the bad guys do deep, debugger-level code dives, and to ignore that with a Pollyanna 'everybody had better be nice, now, because the Big O has Everything Under Control' is crazy and irresponsible and ignorant," Feldman said.

Others responded to the vitriol and magnitude of the blowback on Twitter and social networks. Gadi Evron, founder and CEO of cybersecurity startup Cymmetria, said he found many of the reactions on the Internet distasteful.

As did Adrian Sanabria*, senior analyst, enterprise security practice at The 451 Group. "I object to people calling her crazy and nutty. I think her argument was well put together (though fatally flawed) and the post was well written - entertaining, even. Forget her point-of-view and the EULA for a moment. The REAL issue is that the CSO of a large corporation made a bold statement on a major issue and her company pulled her statement and publicly denounced her views," Sanabria said.

Andrew van der Stock*, project lead, OWASP Developer Guide at the OWASP Foundation said, "The things I agree about is that there needs to be a better way of reporting vulnerabilities. Just dumping Veracode or Nessus output on a vendor without making sure it's real is stupid," he said. "I also agree with her that folks should pay attention to their own stuff first and foremost, but where we part company is if you stumble across a security defect in a database, that absolutely should be reported and possibly rewarded, not threatened with a sinning letter. So no reporting vulnerabilities without a Proof of Concept and a repeatable write up," he said.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.