Oracle's Chief Security Officer Speaks Out

s0u1d13r writes "ZDNet Australia posted a special article from Oracle's CSO regarding the treatment and publishing of exploits and vulnerabilities by security researchers. From the article: 'There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act.' An interesting read from the perspective of one of the largest software vendors accused of ignoring vulnerabilities by software researchers."

Deparment of Homepage Security

[Doc+Ruby]

Sure, why waste time fixing bugs, when you can attack the researchers whose bug reports make you look bad? People are going to buy Oracle no matter what, so these bugs matter only by requiring the Marketing Department to talk tech, rather than spin the wonders of Oracle that make the Web a safe, peaceful utopia. If Oracle is going to deliver every American our government serial number, its Security chief has to play from the same denial playbook as the Department of Homeland Security to which they'll be charging those fat support contracts.

"security researchers" is a broad rubric

[DingerX]

In TFA she discusses two sorts: those who play ball, and those who don't. One of the continuing problems with IT security is the fact that the bright folks who can find or fix problems aren't always the ones who understand how really big, clunky corporations work.

The only goal in the article there is to do discourage people from doing the whole "I found a vulnerability, you have 5 days to comply" nonsense. Yeah, sure, it works great if you've got a 1-person operation with no legal team, and no multitiered support system in place to filter out the garbage.

Re:"security researchers" is a broad rubric

[dbarclay10]

In TFA she discusses two sorts: those who play ball, and those who don't. One of the continuing problems with IT security is the fact that the bright folks who can find or fix problems aren't always the ones who understand how really big, clunky corporations work.

The only goal in the article there is to do discourage people from doing the whole "I found a vulnerability, you have 5 days to comply" nonsense. Yeah, sure, it works great if you've got a 1-person operation with no legal team, and no multitiered support system in place to filter out the garbage.

You miss the entire point. You could be referring to one of two "really big, clunky corporations." Either the "really big, clunky corporation" that needs to upgrade all their vulnerable equipment, or the "reall big, clunky corporation" which actually has to provide the fix. Let's do the last one first:

• My job is to provide services in a secure, cost-effective, and effecient manner
• It's my responsibility to choose the components I will use to do my job
• That means that (unlike the recent Oracle vulnerabilities), I require that fixes for reported vulnerabilities be provided in a reasonable time-frame, fully-tested and audited
• A "reasonable timeframe" is measured in hours, days, or - very occasionally - weeks. Not months or years (such as the recent Oracle fixes)
• You may say "that will increase the cost of the products" - no it won't. The relatively minor increase in ticket and support contract price is dwarfed by the price of a security breach
• Whether the vendor is a "big, clunky corporation" or not is irrelevant - all that matters is if they can meet the requirements set out by their customers (of which I am but one, and trust me, more and more customers are demanding reasonable security-fix practices - of which "sit on it for a year or more" isn't one)

Or, if you're talking about the "really big, clunky corporation" which can't manage to perform critical upgrades at a time appropriate for the business:

• That's their choice and their problem. That some yahoo idiot corporation can't expend the resources to secure their infrastructure isn't my responsibility.
• Note that near reporting periods, I don't touch critical infrastructure either. My choice. I implement what workarounds are safe to put in place, and I make a calculated risk. By refusing to act on security-related reports in a timely manner, Oracle took that choice away from me.

To sum up: Oracle waited YEARS to fix some of these bugs. I don't care why they were unable to fix them. They got caught with their pants down, after the people who reported them decided that "okay, by now, somebody who'll use these vulnerabilities to actually attack people has probably found them" and subsequently released (limited) details required to inform Oracle's customers of the possibility of vulnerabilities.

Now they're trying to blame those people, who actually gave me the ability to make reasoned decisions? The gall. A year ago I wasn't in a position to choose which software we used in our infrastructure, and now I am. Oracle's failure to act upon vulnerability reports, and their subsequent attempt to disparage those who allowed me to do my job, has lost them any possibility of future sales while I'm in charge (until, of course, they actually change - and confirming that change will require me to actually audit their own practices, which I doubt they'll ever let me do).

The saddest part? We're a software development firm which gets to dictate to some really big customers what database engine they use. We're talking about tens of thousands of licenses, easy. Whereas we were previously looking at MySQL, Postgres, and Oracle. Now Oracle is just totally ruled out.

Re:Rubbish as usual

[Donny+Smith]

The article criticizes security researchers, which is aparently easier than spending energy on introspect.

And all that from a company that marketed its product as "Unbreakable" despite dozens of security problems every year.

Scum.