Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security industry reacts to Oracle's CSO missive

George V. Hulme | Aug. 14, 2015
In case there existed any previous questions regarding how Oracle's chief security officer, Mary Ann Davidson, felt about its customers uncovering software vulnerabilities in its applications, they were laid to rest yesterday in a strongly worded blog post, No, You Really Can't. The post, swiftly pulled by Oracle, apparently held nothing back when it came to her views that under no circumstances should customers, or their hired security researchers, evaluate Oracle source code for potential security flaws.

Few would disagree, and based on interviews with software makers over the years, there is no shortage of what many believe to be less than helpful submissions by bug finders who run software analysis tools and submit findings that are nothing more than false positives. "In all professions there are charlatans, jack-asses and frauds who shouldn't be doing anything more than grabbing people coffee - but there are also a lot of highly qualified, well intentioned security researchers that do offer a tremendous value to the community," says Amrit Williams DePaulo, *chief technology officer at CloudPassage.

*Ira Winkler*, president at the security awareness firm Secure Mentem, argued that no matter how irritating bug submissions are, Oracle should be able to adequately manage the situation. "Oracle is a very large and rich company, with products that are widely distributed and used for critical applications. Period. They have a responsibility to make their software as strong as possible," Winkler said.  "There might be a lot of false positives and associated costs, but that is a factor of [their selling] a lot of software that has a lot of users. It is a cost of doing business. I'm sure all software companies have the same false positive reports. I don't hear Microsoft et al. complaining."

Gene Spafford, computer sciences and electrical and computer engineering professor and executive director at Purdue University, said that software vendors have brought much of the current bug finding efforts and environment upon themselves. "If vendors really applied all we know about how to build robust, secured software -- including design, testing, and careful deployment -- Mary Ann's position would be quite sensible. The sloppy, slap-dash, first-to-market coding in most products plus dump-it-on-the-users EULAs mean that we have developed a culture where lots of parties feel the need to probe and test things on their own,"  Spafford said.

*"If she had concluded with a statement like, 'Please continue to feel free to send us the security bugs you find and we'll get them fixed, but please don't waste our time with 500 pages of un-validated findings', it would've been a wee bit more palatable,"said David Litchfield,*experienced software security researcher and consultant at Datacom TSS, who has been known to find a great number of Oracle software vulnerabilities himself.


Previous Page  1  2  3 

Sign up for MIS Asia eNewsletters.