Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Exec Strikes Out At 'Patch' Mentality

Posted by ryuzaki0 on from the this-post-to-be-patched-later dept.

An anonymous reader writes "C|Net has an article up discussing comments by Oracle's Chief Security Officer railing against the culture of patching that exists in the software industry." From the article: "Things are so bad in the software business that it has become 'a national security issue,' with regulation of the industry currently on the agenda, she said. 'I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated,' she said, referring to the security think tank."

5 of 264 comments (clear)

  1. yeah... by narkotix · · Score: 3, Informative

    this explains all....bunch of slackasses!

    --
    We played dungeons and dragons for 3 hours.....then i was slain by an elf
  2. Re:Of course by arivanov · · Score: 5, Informative

    No.

    Not at all in fact.

    Open Source has nothing to do with this and I would suggest that you actually do some research instead of parroting the usual "Open Source will fix all problems" mantra.

    Oracle has recently been shown to have up to 5 years turnaround to patch glaring security holes. This has reached the point where security researchers like Litchfield who have had an ongoing relationshop with Oracle for 10+ years do not want to work with any longer. Note, we are not talking sc1pt k1dd10tz sitting in their dad's basement here. The people in question consult banks, governments, large corps and cannot actually recommend them a working security policy because Oracle cannot get its head out of its arse and patch a security problem for multiple years after it has been reported to them.

    As a result people who used to work on Oracle problems and reported them in private to Oracle have started posting them openly "0 day" style or giving Oracle a 1 month fixed notice of an impending posting regardless of does it have a patch or not.

    Obviously Oracle is pissed.

    First of all it breaks all of their marketing bollocks about unbreakability and security to bits.

    Second it is threatening their sales to customers in regulated markets where security issues must be addresses within a fixed term after being known.

    This is the reason for them to rattle the "regulation" sabers and moan about a "patch culture". Open Source has nothing to do about it.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  3. I write the standard. She doesn't get it by ajv · · Score: 5, Informative

    I write the OWASP Guide, which is used by basically everybody as the standard for web application security, and is the official standard of Visa, many governments, and so on.

    She talks to CSO's who mostly are bean counters. They see money down the drain from patching. I agree with them - patching is inefficient and wasteful. But it's necessary as Oracle builds crap, buggy and insecure software. They are easily five+ years behind Microsoft in churning out safer software. Buffer overflows, high privilege accounts, public access to highly privileged library functions - all this stuff is easily 10-15 years old and should not be in Oracle 10g, but it is.

    Oracle has time and time again outright refused to get on board with a secure coding program, often fixing just the little bug which gained root privileges, exposed all your data, or destroyed the database outright. Instead, they should be searching for all those types of bugs and fixing them in one hit. Davidson has more than enough time to address the root cause

    She is holding software up to the standards of bridges. Bridges have tolerances and over-design built into them. Most software does not. Often to make artificial deadlines made by beancounters, software is shipped with bugs. Often the bugs are not found for some time and requires researchers to go find them. If it's not researchers, its the commercial 0day crowd. This is where Davidson shows she is an amateur and must be replaced. It's best for HER customers to be secure, and that means shipping secure software. Shipping insecure software does not prevent the 0day houses from creating exploits. Oracle's reputation as a solid data partner is worthless if we lose all our data to an attacker because Oracle suppressed the news from us, rather than fixes the problem.

    It is simply unachievable to build bug free software for a reasonable cost. What is required is care, developer training in secure software techniques, and defense in depth. That is our tolerance and over-design. Oracle is sadly lacking. She has had five years to get their developers onto a program of building this into their platforms, and she's failed miserably. I will be interested to hear what standards they use, and if it's mine (OWASP Guide), or if they do their own based upon ours, or use Microsoft's.

    I've called for her to step down more than once. When she attacked the good name of David Litchfield and NGS Software, I was outraged - this was like shooting the messenger that their "unbreakable" software was pure crap, which we already knew - but now know through his unstinting efforts that it is truly appalling and not fit for purpose.

    If this latest "push" for too little too late does not work out, she should be sacked by the Oracle board for the good of all Oracle shareholders and customers. She's had more than enough time to make a positive change, and should make way for someone who really understands security.

    --
    Andrew van der Stock
  4. Re:But it's different things by MathFox · · Score: 4, Informative
    Too much time is spilled in "integration" and testing because management refuses to plan time for high level design. One can create better quality software in about the same amount of time when one uses a proper development process. Some hints:
    • Do a proper high-level design.
    • Review your design with all stakeholders, including QA/testing and marketing.
    • Plan time to fix issues in all steps of the project.
    • Prototypes are to throw away, don't build your product on top of them.
    • Require specifications for all parts of the application.
    • Peer review all specifications.
    • Peer review all code.
    • Perform unit and module tests on all parts of the code.
    • Fix bugs as early as possible.
    Development will cost more and take longer
    It will take more time till a programmer starts coding, you will need less time to find and fix bugs. A clean design leads to cleaner module interfaces, which makes tracing the bug easier. Doing module testing means that a lot of bugs are found early and are automaticly traced to an offending module, which means quick fixing.

    Restrictions on hardware and software
    For high-reliability, yes. It's hard to write software that can replace blown out fuses. I think it is rediculous that an Internet connected Windows system is "automagicly" degrading to a near useless condition, so Windows should be thrown out.
    It should be possible to run a decent selection of software on a server, where the user selects his mixture, taking into account his desired level of reliability. An Operating System should sufficiently isolate processes so that a single bug doesn't crash the machine.

    Slower performance.
    Needless consistency checks slow things down (and improper checks may even cause instability). With a proper design you know what to check where, so you only check once. In my experience good quality software performs better than bad software.

    Take the phone switches for example. These things don't crash, ever. They just work. [...] they've had like one major upgrade (5ESS to 7R/E) in the last couple decades
    Sorry, I had to pick myself up from the floor, fell of my chair laughing. I did work for a telco and crashed a few switches myself, the Lucent stuff you mention. Ericson makes more reliable systems (but they have a different design philosophy). And software updates for phone switches appear regularly.

    --
    extern warranty;
    main()
    {
    (void)warranty;
    }
  5. Re:But it's different things by R-ballbat · · Score: 3, Informative

    Take the phone switches for example. These things don't crash, ever. They just work. Great, but they only do one thing, yoy use only certified hardware, they've had like one major upgrade (5ESS to 7R/E) in the last couple decades, and they cost millions.

    As other posters have already noted, telephone switches do crash, or much more frequently, have impairments short of a complete outage. Lucent's markteting boasts of five 9s availability, but thats based on aggregate FCC reporting data, not for any one switch.

    And the claim that there has been only one major upgrade makes me laugh. Right now there have been about twenty generic releases (major software releases), although some of the recent ones (since about 5E16 or so) are supposed to be split between wireless & wireline. In between generics, there are numerous patch releases. That's just the software. On the hardware side, there have been many hardware changes since the No. 5 ESS came out in the 80's. Some of the changes have been optional, but many have required grafting new hardware onto an existing switch (like CM & AM retrofits.

    7/RE was more of a collection of upgrades and marketing, than anything unique in it's own right. Lucent has since gone back to calling it 5ESS, just like they have with 5ESS-2000, and every other marketing name change they've tried. I can't wait to see what Alcatel tries.

    There's redundancy and reliability built into most vendor's equipment, but it's far from perfect, especially when you start adding humans in to the mix.