I will stick my foot in here.
Personally, I see this as Oracle's CSO's fault. She's had enough time
in the job to improve Oracle's:
* Pro-active training for their own devs, so they can find and fix
security bugs on their own.
* More than enough time for products like 10g to have a proper
security architecture from the get go, so that it presents minimal
risk out of the box, and adequate security controls once in
operation. It doesn't really improve the security story over 9.2.
* Security test teams. She's been using the "time to test" product
excuse for too long. Oracle is a great believer in outsourcing to
India, it doesn't take that long to hire enough capable talent in
India to test their all their products carefully and thoroughly.
Indian CS grads are the equal of any country, so I find this excuse
to be at best worn out. It's easy to fix lack of testing resources.
* improving security in existing supported products so that
implementing Oracle products doesn't take so long to securely
implement (ie just as one example: no default accounts... at all. See
Pete Finnigan's site for the 600 default accounts they ship today)
* Improving security advice by commissioning workable security
guides. The existing guides are better than nothing, but I get more
from Pete Finnigan's site than Oracle's.
* Implementing necessary security features by default, rather than as
an optional "Advanced Security" pack that no one uses as few know of
it, and even less buy it.
* Communicate with customers about security pro-actively and openly.
I don't ever hear from them despite being in my very large Bank's
security team. As we are responsible for security, we NEED (not want)
all the details Oracle is hiding from us. Not knowing places us at
considerable risk. We are a *very* large customer, and we demand to
know, not be lied to. I will push this through the correct channels
in my bank on Monday.
* Improve responsiveness to researchers and ditch their poor attitude
to professionals such as ourselves. 800 days for a fix is ridiculous
and dangerous to customers who use Oracle's products for mission
critical stuff like we do. Not having confidence in a key component
of our IT systems is unacceptable. 600-800 days is, in my personal
view, negligent.
I think Oracle should find another CSO, one who will address Oracle's
security not as a problem to be swept under the rug, but as an
opportunity for market leadership and as a benefit to customers to
reduce implementation and operational costs. Security is about trust,
and Oracle's security woes have abused and eroded that trust.
I believe it is time for Mary Ann Davidson to stand down. She's had
more than enough time to demonstrate her leadership at Oracle and
turn their poor security record around. She's failed Oracle's
customers for too long, so it's time to let someone else have a shot
at it.
thanks,
Andrew
On 28/01/2006, at 10:59 AM, Valkyrie wrote:
Is this truly a case of Oracle's people being terrible to deal with
when it comes to security research and response, or is it more
toward the corporate culture that may influence how quickly the
organization responds to issues? I could contend the same thing
for several enterprise software and security software/hardware
vendors presently in the IT space. A culture of trusted advisory
and responsiveness to end users just doesn't *seem* to be on the
"Top 5 Initiatives" list. Again, my assertion goes back to failure
to have received a logical response to the question, "How long is
too long to fix your stuff?" Martin has highlighted some
excellent points from what may be a vendor perspective, however,
those points do not necessarily help resolve this issue.
Regards,
valkyrie
Byron Sonne wrote:
This isn't picking on Oracle, this is true for all
vulnerabilities in
widely used publicly available products.
Oracle *should* be picked on though: they're terrible people to
deal with when it comes to security research.
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
----------------------------------------------------------------------
---
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web
application security testing suite, and the only solution to
provide comprehensive remediation tasks at every level of the
application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000003Ssh
----------------------------------------------------------------------
----
smime.p7s
Description: S/MIME cryptographic signature
