Oracle Exec: Stop Sending Vulnerability Reports

florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.

Link to full text

[aitikin]

As it's been taken down: http://www.scribd.com/doc/2741...

Re:Yet another reason to avoid Oracle

[gpmidi]

Not to mention you have to do business with a company that is well known for fucking over its customers.

Re:Yet another reason to avoid Oracle

[binarylarry]

Fucking over it's customers, business partners, employees, investors, family, government, religion, charities, etc.

Oracle is probably the worst company in tech, in every category.

In Washington trying to make research illegal

[phantomfive]

Oracle has been reportedly working hard in Washington trying to make security research illegal.

Of course, malicious hackers will always be finding exploits, and using them.

Re:Piss off- text of her blog which was taken down

Mary Ann Davidson Blog
 Is Your Shellshocked... | Main
No, You Really Canâ(TM)t
By User701213-Oracle on Aug 10, 2015

I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, weâ(TM)ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

Writing mysteries is a lot more fun than the other type of writing Iâ(TM)ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why Iâ(TM)ve been writing a lot of letters to customers that start with âoehi, howzit, alohaâ but end with âoeplease comply with your license agreement and stop reverse engineering our code, already.â

I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured theyâ(TM)ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down â" in short, the usual security hygiene â" before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products â" and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or âoegood codeâ seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors â" at least, most of the large-ish ones I know â" have fairly robust assurance programs now (we know this because we all compare notes at conferences). Thatâ(TM)s all well and good, is appropriate customer due diligence and stops well short of âoehey, I think I will do the vendorâ(TM)s job for him/her/it and look for problems in source code myself,â even though:

A customer canâ(TM)t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)

A customer canâ(TM)t produce a patch for the problem â" only the vendor can do that

A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we donâ(TM)t just accept scan reports as âoeproof that there is a there, there,â in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming ⦠FUD. (That is what

Re:Account to CSO

[ClickOnThis]

It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.

Accountant? Citation please. I can't find any evidence she was ever an accountant at Oracle.

According to the brief wikipedia article on her, she joined Oracle in 1988 as a product manager, and became a product marketing manager in their computer-security division in 1993. Not exactly hard-core tech, but not an accountant either.

https://en.wikipedia.org/wiki/...
http://www.oracle.com/us/corpo...

Re:Yet another reason to avoid Oracle

[La+Camiseta]

I recently experienced this - we had purchased a complete Micros package for a hotel and everything was going along well. Now that Oracle bought them, support goes to a callcenter where they have no idea what they're talking about and just try to upsell you paid services.

If you're ever looking for something that was from (formerly) Micros, now Oracle Hospitality; run, don't walk.

Also, I've found that InfoGenesis is much better for POS and LMS is excellent for hotel management systems (even though it's based on the iSeries).