Oracle, still clueless about security

Oracle's CSO has some wrongheaded notions about her area of expertise. What is the company doing about that?

Oracle’s chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security “expertise in-house because security is a core element of software development and you cannot outsource it.” She continued, “Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?”

Oh. Wait. That’s what Davidson said in 2011!

What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to “proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD.”

Davidson’s blog post is one long rant that boils down to, “How dare people analyze Oracle code?” “I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’”

Because God forbid someone should find a security hole!

Oracle backed away from Davidson’s position in less than 24 hours. “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect.

But Oracle has not taken down Davidson’s 2011 rant, nor others. For example, in an earlier 2015 post, Davidson described security researchers outside Oracle’s Unbreakable walls as little more than greedy brats crying for attention:

A researcher first finds vulnerability in a widely-used library: the more widely-used, the better … Next, the researcher comes up with a catchy name. You get extra points for it being an acronym for the nature of the vulnerability, such as SUCKS—Security Undermining of Critical Key Systems. Then, you put up a website (more points for cute animated creature dancing around and singing the SUCKS song). Add links so visitors can Order the T-shirt, Download the App, and Get a Free Bumper Sticker! Get a hash tag. Develop a Facebook page and ask your friends to Like your vulnerability. (I might be exaggerating, but not by much.) Now, sit back and wait for the uninformed public to regurgitate the headlines about “New Vulnerability SUCKS!” If you are a security researcher who dreamed up all the above, start planning your speaking engagements on how the world as we know it will end, because (wait for it), “Everything SUCKS.
This is so much horse-pucky.

Yes, people want to make money and gain fame by finding and revealing security holes. Is that such a bad thing? It’s certainly better than, say, finding a security hole and then exploiting it, isn’t it? I think so.

Davidson also seems stuck in the dark ages of security. She believes in security by obscurity.

In 2012, for example, Davidson lambasted the Payment Card Industry Security (PCI) Standards Council for requiring “vendors to disclose (dare we say ‘tell all?’) to PCI any known security vulnerabilities and associated security breaches.” Or, as she put it more succinctly, “tell your customers that you have to rat them out to PCI.”

She added, just to make it perfectly clear where she’s coming from, that information on security vulnerabilities at Oracle is on a “need to know” basis.

Perhaps Davidson’s extreme reactionary stance comes from the fact that David Litchfield, the famed U.K. security expert, has made a career of hacking Oracle database software. Back in 2005, Litchfield, who reverse-engineers Oracle code to find its vulnerabilities, said, “It is my belief that the CSO [Davidson] has categorically failed. Oracle security has stagnated under her leadership and it’s time for change.”

Ten years later, people like Davidson who believe that keeping code closed and proprietary is a good thing have grown far fewer in number. Even Microsoft has gotten the open-source message.

Who loves Linux? Microsoft CEO Satya Nadella loves Linux.

Oracle with Linux and MySQL gets open source too. But Davidson? Not so much.

One of open source’s tenets is Linus’s Law: “Given enough eyeballs, all bugs are shallow.” Davidson, with her naked contempt for anyone who examines Oracle’s code, appears to be out of step with Oracle and the open-source method.

Or, is she?

It’s not as if Davidson is saying anything new. She’s been making juvenile attacks — I mean what’s a chief anything officer doing saying “suck” over and over again? — for years now. She’s been Oracle’s CSO for 15 years, and Oracle still lets her babble to the public without any control. Larry Ellison, if no one else, clearly thinks she’s doing a great job.

I don’t pretend to understand what’s going on inside Oracle. People at Oracle who talk to reporters don’t tend to keep their jobs for very long.

From the outside looking in, I see a company that both embraces and rejects the open-source method. That second part is not healthy for its products’ security. And, in the long run, it’s not healthy for Oracle’s future as a company.

Back in 2006, Davidson said, her “goal is to be out of a job.” Maybe it’s time for Oracle to take her up on that offer.

Join the CSO newsletter!

Error: Please check your email address.

Tags Oracle

More about CSOFacebookLinuxMicrosoftMySQLOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts