Oracle Exec Strikes Out At 'Patch' Mentality

An anonymous reader writes "C|Net has an article up discussing comments by Oracle's Chief Security Officer railing against the culture of patching that exists in the software industry." From the article: "Things are so bad in the software business that it has become 'a national security issue,' with regulation of the industry currently on the agenda, she said. 'I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated,' she said, referring to the security think tank."

Re:Of course

[arivanov]

No.

Not at all in fact.

Open Source has nothing to do with this and I would suggest that you actually do some research instead of parroting the usual "Open Source will fix all problems" mantra.

Oracle has recently been shown to have up to 5 years turnaround to patch glaring security holes. This has reached the point where security researchers like Litchfield who have had an ongoing relationshop with Oracle for 10+ years do not want to work with any longer. Note, we are not talking sc1pt k1dd10tz sitting in their dad's basement here. The people in question consult banks, governments, large corps and cannot actually recommend them a working security policy because Oracle cannot get its head out of its arse and patch a security problem for multiple years after it has been reported to them.

As a result people who used to work on Oracle problems and reported them in private to Oracle have started posting them openly "0 day" style or giving Oracle a 1 month fixed notice of an impending posting regardless of does it have a patch or not.

Obviously Oracle is pissed.

First of all it breaks all of their marketing bollocks about unbreakability and security to bits.

Second it is threatening their sales to customers in regulated markets where security issues must be addresses within a fixed term after being known.

This is the reason for them to rattle the "regulation" sabers and moan about a "patch culture". Open Source has nothing to do about it.

I write the standard. She doesn't get it

[ajv]

I write the OWASP Guide, which is used by basically everybody as the standard for web application security, and is the official standard of Visa, many governments, and so on.

She talks to CSO's who mostly are bean counters. They see money down the drain from patching. I agree with them - patching is inefficient and wasteful. But it's necessary as Oracle builds crap, buggy and insecure software. They are easily five+ years behind Microsoft in churning out safer software. Buffer overflows, high privilege accounts, public access to highly privileged library functions - all this stuff is easily 10-15 years old and should not be in Oracle 10g, but it is.

Oracle has time and time again outright refused to get on board with a secure coding program, often fixing just the little bug which gained root privileges, exposed all your data, or destroyed the database outright. Instead, they should be searching for all those types of bugs and fixing them in one hit. Davidson has more than enough time to address the root cause

She is holding software up to the standards of bridges. Bridges have tolerances and over-design built into them. Most software does not. Often to make artificial deadlines made by beancounters, software is shipped with bugs. Often the bugs are not found for some time and requires researchers to go find them. If it's not researchers, its the commercial 0day crowd. This is where Davidson shows she is an amateur and must be replaced. It's best for HER customers to be secure, and that means shipping secure software. Shipping insecure software does not prevent the 0day houses from creating exploits. Oracle's reputation as a solid data partner is worthless if we lose all our data to an attacker because Oracle suppressed the news from us, rather than fixes the problem.

It is simply unachievable to build bug free software for a reasonable cost. What is required is care, developer training in secure software techniques, and defense in depth. That is our tolerance and over-design. Oracle is sadly lacking. She has had five years to get their developers onto a program of building this into their platforms, and she's failed miserably. I will be interested to hear what standards they use, and if it's mine (OWASP Guide), or if they do their own based upon ours, or use Microsoft's.

I've called for her to step down more than once. When she attacked the good name of David Litchfield and NGS Software, I was outraged - this was like shooting the messenger that their "unbreakable" software was pure crap, which we already knew - but now know through his unstinting efforts that it is truly appalling and not fit for purpose.

If this latest "push" for too little too late does not work out, she should be sacked by the Oracle board for the good of all Oracle shareholders and customers. She's had more than enough time to make a positive change, and should make way for someone who really understands security.