Oracle, still clueless about security

Oracle's CSO has some wrongheaded notions about her area of expertise. What is the company doing about that?

oracle headquarters
Peter Kaminski (CC BY 2.0)

Oracle's chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security "expertise in-house because security is a core element of software development and you cannot outsource it." She continued, "Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?"

Oh. Wait. That's what Davidson said in 2011!

What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to "proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD."

Davidson's blog post is one long rant that boils down to, "How dare people analyze Oracle code?" "I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I've been writing a lot of letters to customers that start with "hi, howzit, aloha" but end with ‘please comply with your license agreement and stop reverse engineering our code, already.'"

Because God forbid someone should find a security hole!

Oracle backed away from Davidson's position in less than 24 hours. "We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect.

But Oracle has not taken down Davidson's 2011 rant, nor others. For example, in an earlier 2015 post, Davidson described security researchers outside Oracle's Unbreakable walls as little more than greedy brats crying for attention:

A researcher first finds vulnerability in a widely-used library: the more widely-used, the better … Next, the researcher comes up with a catchy name. You get extra points for it being an acronym for the nature of the vulnerability, such as SUCKS—Security Undermining of Critical Key Systems. Then, you put up a website (more points for cute animated creature dancing around and singing the SUCKS song). Add links so visitors can Order the T-shirt, Download the App, and Get a Free Bumper Sticker! Get a hash tag. Develop a Facebook page and ask your friends to Like your vulnerability. (I might be exaggerating, but not by much.) Now, sit back and wait for the uninformed public to regurgitate the headlines about "New Vulnerability SUCKS!" If you are a security researcher who dreamed up all the above, start planning your speaking engagements on how the world as we know it will end, because (wait for it), "Everything SUCKS.

This is so much horse-pucky.

Yes, people want to make money and gain fame by finding and revealing security holes. Is that such a bad thing? It's certainly better than, say, finding a security hole and then exploiting it, isn't it? I think so.

Davidson also seems stuck in the dark ages of security. She believes in security by obscurity.

In 2012, for example, Davidson lambasted the Payment Card Industry Security (PCI) Standards Council for requiring "vendors to disclose (dare we say ‘tell all?') to PCI any known security vulnerabilities and associated security breaches." Or, as she put it more succinctly, "tell your customers that you have to rat them out to PCI."

She added, just to make it perfectly clear where she's coming from, that information on security vulnerabilities at Oracle is on a "need to know" basis.

Perhaps Davidson's extreme reactionary stance comes from the fact that David Litchfield, the famed U.K. security expert, has made a career of hacking Oracle database software. Back in 2005, Litchfield, who reverse-engineers Oracle code to find its vulnerabilities, said, "It is my belief that the CSO [Davidson] has categorically failed. Oracle security has stagnated under her leadership and it's time for change."

Ten years later, people like Davidson who believe that keeping code closed and proprietary is a good thing have grown far fewer in number. Even Microsoft has gotten the open-source message.

Who loves Linux? Microsoft CEO Satya Nadella loves Linux.

Oracle with Linux and MySQL gets open source too. But Davidson? Not so much.

One of open source's tenets is Linus's Law: "Given enough eyeballs, all bugs are shallow." Davidson, with her naked contempt for anyone who examines Oracle's code, appears to be out of step with Oracle and the open-source method.

Or, is she?

It's not as if Davidson is saying anything new. She's been making juvenile attacks -- I mean what's a chief anything officer doing saying "suck" over and over again? -- for years now. She's been Oracle's CSO for 15 years, and Oracle still lets her babble to the public without any control. Larry Ellison, if no one else, clearly thinks she's doing a great job.

I don't pretend to understand what's going on inside Oracle. People at Oracle who talk to reporters don't tend to keep their jobs for very long.

From the outside looking in, I see a company that both embraces and rejects the open-source method. That second part is not healthy for its products' security. And, in the long run, it's not healthy for Oracle's future as a company.

Back in 2006, Davidson said, her "goal is to be out of a job." Maybe it's time for Oracle to take her up on that offer.

This story, "Oracle, still clueless about security" was originally published by Computerworld.


Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform