Re: [WEB SECURITY] Re: Oracle in war of words with security researcher

[Andrew van der Stock <vanderaj () greebo net>]

I will stick my foot in here.

Personally, I see this as Oracle's CSO's fault. She's had enough time  
in the job to improve Oracle's:

* Pro-active training for their own devs, so they can find and fix  
security bugs on their own.

* More than enough time for products like 10g to have a proper  
security architecture from the get go, so that it presents minimal  
risk out of the box, and adequate security controls once in  
operation. It doesn't really improve the security story over 9.2.

* Security test teams. She's been using the "time to test" product  
excuse for too long. Oracle is a great believer in outsourcing to  
India, it doesn't take that long to hire enough capable talent in  
India to test their all their products carefully and thoroughly.  
Indian CS grads are the equal of any country, so I find this excuse  
to be at best worn out. It's easy to fix lack of testing resources.

* improving security in existing supported products so that  
implementing Oracle products doesn't take so long to securely  
implement (ie just as one example: no default accounts... at all. See  
Pete Finnigan's site for the 600 default accounts they ship today)

* Improving security advice by commissioning workable security  
guides. The existing guides are better than nothing, but I get more  
from Pete Finnigan's site than Oracle's.

* Implementing necessary security features by default, rather than as  
an optional "Advanced Security" pack that no one uses as few know of  
it, and even less buy it.

* Communicate with customers about security pro-actively and openly.  
I don't ever hear from them despite being in my very large Bank's  
security team. As we are responsible for security, we NEED (not want)  
all the details Oracle is hiding from us. Not knowing places us at  
considerable risk. We are a *very* large customer, and we demand to  
know, not be lied to. I will push this through the correct channels  
in my bank on Monday.

* Improve responsiveness to researchers and ditch their poor attitude  
to professionals such as ourselves. 800 days for a fix is ridiculous  
and dangerous to customers who use Oracle's products for mission  
critical stuff like we do. Not having confidence in a key component  
of our IT systems is unacceptable. 600-800 days is, in my personal  
view, negligent.

I think Oracle should find another CSO, one who will address Oracle's  
security not as a problem to be swept under the rug, but as an  
opportunity for market leadership and as a benefit to customers to  
reduce implementation and operational costs. Security is about trust,  
and Oracle's security woes have abused and eroded that trust.

I believe it is time for Mary Ann Davidson to stand down. She's had  
more than enough time to demonstrate her leadership at Oracle and  
turn their poor security record around. She's failed Oracle's  
customers for too long, so it's time to let someone else have a shot  
at it.

thanks,
Andrew

On 28/01/2006, at 10:59 AM, Valkyrie wrote:

> Is this truly a case of Oracle's people being terrible to deal with  
> when it comes to security research and response, or is it more  
> toward the corporate culture that may influence how quickly the  
> organization responds to issues?  I could contend the same thing  
> for several enterprise software and security software/hardware  
> vendors presently in the IT space.  A culture of trusted advisory  
> and responsiveness to end users just doesn't *seem* to be on the  
> "Top 5 Initiatives" list.  Again, my assertion goes back to failure  
> to have received a logical response to the question, "How long is  
> too long to fix your stuff?"   Martin has highlighted some  
> excellent points from what may be a vendor perspective, however,  
> those points do not necessarily help resolve this issue.
>
> Regards,
> valkyrie
>
> Byron Sonne wrote:
>
> > > This isn't picking on Oracle, this is true for all  
> > > vulnerabilities in
> > > widely used publicly available products.
> >
> >
> > Oracle *should* be picked on though: they're terrible people to  
> > deal with when it comes to security research.
> >
> > ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
>
>
> ---------------------------------------------------------------------- 
> ---
> This List Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web  
> application security testing suite, and the only solution to  
> provide comprehensive remediation tasks at every level of the  
> application. See for yourself. Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx? 
> id=701300000003Ssh
> ---------------------------------------------------------------------- 
> ----

Attachment: smime.p7s
Description: