Software assurance critical for security: Oracle CSO
- — 16 October, 2012 16:25
More robust software and intelligent networks will make life easier for the security industry and the users they are trying to protect, according to the CSO of Oracle.
Speaking at the Australian Information Security Association (AISA) National Conference 2012 in Sydney, Mary Ann Davidson told delegates that Oracle customers were now asking questions about the vendor’s software code and how secure it is.
“It used to be that nobody called security people but now our customers want to know what we have done for them lately and how we are building our software,” she said.
“That’s good because it makes more work for us but what I would really like to say is that every single one of our products is compliant.”
However, Davidson admitted that not every one of its products may be compliant — simply because it acquires other companies and needs to assess if their practices meet Oracle’s standards or not.
She added that these standards always change because of new vulnerabilities such as automated tools which can find code before software products are shipped.
“I want to know what our customers are using Oracle software for so we can find out where the problem lies.”
Turning to software vendors, she said that vendors needed to work on not allowing software applications to be installed which the consumer will never use and then be forced to patch.
“Why can’t you [the vendor] give me a smaller install or let me decide what I want to install?”
According to Davidson, vendors like to use what she called the “drug addict” model where users get hooked on installing every application and then come back for more.
“The user then comes back and has to pay for it. That’s a nice business model but it’s not the best security model.”
According to Davidson, improving software assurance will make attackers work harder and allow redeployment of money spent on patching and maintenance.
Davidson, who is an ex-US Marine officer, told delegates that the security industry should take notes from the armed forces.
“One of the things that makes the US Marines lethal is that they don’t assume they are not going to have any casualties and their perimeter won’t get breached.”
“Why don’t we build [security] networks that way? We have a model where we assume everyone inside the network is trustworthy.”
She said CSOs and IT professionals should start assuming that they are going to be breached and prepare for what she called evil input, where someone deliberately tries to break a network.
“If you’re getting evil input, that is intelligence and you should be able to do something with that such as configuring the network to recognise these attacks and deny access to the attacker.”
Davidson lamented that there was not more use of smarter engines that went on the network and discovered all the useful information contained within.
However, technology that would solve this problem such as context-based access which recognises if the user is behaving strangely or trying to access the network from a different IP address is available, she said.