Oracle pulls blog post critical of security vendors, customers

Oracle's head of security advised customers not to submit bug reports from third-party security analysis tools and services

Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.

The missive, entitled "No, You Really Can't," was issued Monday on Davidson's corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

"We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed Tuesday.

The post responds to an increasing number of static analysis reports being submitted to Oracle by its customers. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities.

Organizations may hire a third-party security consultant or program, from the likes of Veracode or Coverity, to scan the enterprise software it uses to look for as-of-yet unearthed bugs that could be exploited to gain entry to a system.

Davidson wrote that such tests are rarely necessary, and often point to flaws that don't exist.

"Most of these tools have a close to 100 [percent] false positive rate so please do not waste our time on reporting little green men in our code," she wrote.

Customers would be better served by keeping their software patched than by foraging for fresh obscure zero-day vulnerabilities, she wrote.

She reminded her customers that such scans, which inspect the object code of the actual program, violate the terms of Oracle's licensing agreements, because they constitute reverse engineering, which is the process of disassembling a technology to understand how it operates. Davidson also took a jab at bug bounty programs, in which companies such as Microsoft or Google offer cash rewards to researchers who dig up previously undiscovered software flaws. Such a program wouldn't be of much value to Oracle, since the company finds the majority of its bugs through internal testing.

Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an email statement.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitypatch managementExploits / vulnerabilitiesOracle

More about CustomersGoogleMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place