Oracle, still clueless about security
Oh. Wait. That’s what Davidson said in 2011!
What she said in 2015 was that security reports based on reverse-engineering Oracle code and then applying static or dynamic analysis to it does not lead to “proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD.”
Davidson’s blog post is one long rant that boils down to, “How dare people analyze Oracle code” “I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with ‘please comply with your license agreement and stop reverse engineering our code, already.’”
Because God forbid someone should find a security hole!
Oracle backed away from Davidson’s position in less than 24 hours. “We removed the post as it does not reflect our beliefs or our relationship with our customers,” wrote Edward Screven, Oracle executive vice president and chief corporate architect.
But Oracle has not taken down Davidson’s 2011 rant, nor others. For example, in an earlier 2015 post, Davidson described security researchers outside Oracle’s Unbreakable walls as little more than greedy brats crying for attention:
This is so much horse-pucky.
Yes, people want to make money and gain fame by finding and revealing security holes. Is that such a bad thing It’s certainly better than, say, finding a security hole and then exploiting it, isn’t it I think so.
Davidson also seems stuck in the dark ages of security. She believes in security by obscurity.
In 2012, for example, Davidson lambasted the Payment Card Industry Security (PCI) Standards Council for requiring “vendors to disclose (dare we say ‘tell all’) to PCI any known security vulnerabilities and associated security breaches.” Or, as she put it more succinctly, “tell your customers that you have to rat them out to PCI.”
She added, just to make it perfectly clear where she’s coming from, that information on security vulnerabilities at Oracle is on a “need to know” basis.
Perhaps Davidson’s extreme reactionary stance comes from the fact that David Litchfield, the famed U.K. security expert, has made a career of hacking Oracle database software. Back in 2005, Litchfield, who reverse-engineers Oracle code to find its vulnerabilities, said, “It is my belief that the CSO [Davidson] has categorically failed. Oracle security has stagnated under her leadership and it’s time for change.”
Ten years later, people like Davidson who believe that keeping code closed and proprietary is a good thing have grown far fewer in number. Even Microsoft has gotten the open-source message.
Who loves Linux Microsoft CEO Satya Nadella loves Linux.
Oracle with Linux and MySQL gets open source too. But Davidson Not so much.
One of open source’s tenets is Linus’s Law: “Given enough eyeballs, all bugs are shallow.” Davidson, with her naked contempt for anyone who examines Oracle’s code, appears to be out of step with Oracle and the open-source method.
Or, is she
It’s not as if Davidson is saying anything new. She’s been making juvenile attacks — I mean what’s a chief anything officer doing saying “suck” over and over again — for years now. She’s been Oracle’s CSO for 15 years, and Oracle still lets her babble to the public without any control. Larry Ellison, if no one else, clearly thinks she’s doing a great job.
I don’t pretend to understand what’s going on inside Oracle. People at Oracle who talk to reporters don’t tend to keep their jobs for very long.
From the outside looking in, I see a company that both embraces and rejects the open-source method. That second part is not healthy for its products’ security. And, in the long run, it’s not healthy for Oracle’s future as a company.
Back in 2006, Davidson said, her “goal is to be out of a job.” Maybe it’s time for Oracle to take her up on that offer.