CNET carries an article today called Oracle exec hits out at 'patch' mentality in which they cover the comments of Oracle Chief Security Officer (CSO) Chief Security Officer Mary Ann Davidson (henceforth referred to as MAD) who continues to rage against the security researchers that are throwing rocks at the Unbreakable Oracle glass house of security. There is additional coverage of MAD in Network World covering the same conference called Oracle's security chief lambastes faulty coding.
The thing I can't understand about MAD is how she can get up at conferences like this one (the WWW2006 conference in Edinburgh, Scotland) in front of thousands of people and spout tripe, contradict herself, all while reacting childishly. I am embarrassed on her behalf.
Let's review (from the CNET article):
The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.
Wow, so MAD thinks the industry has reached a tipping point. With the Unbreakable Oracle database having hundreds of unfixed security issues that, according to researchers finding them, they can't seem to get fixed, and only 4 years after even Microsoft recognized they needed to do something more about security, Oracle recognizes a tipping point! Whew!
But if regulation is coming, the industry has only itself to blame, she said.
"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."
That's incredible. After years of claiming victory, claiming to have an unbreakable system, MAD offers that if you don't want to be regulated, you have to do a better job. I'm confused, since their doing a terrible job, does she mean she wants to be regulated? I don't see how else to interpret that.
(and finally, this childish little gem)
She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."
Backhanded compliment, or dig at the Litchfields and others for exposing so many flaws?
Let's review (from the Network World article):
Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said
W-w-WHAT?!? Hello! Well, that may be true, I can't seem to get another tune out of my head, from 2002. It's called Unbreakable: Oracle’s Commitment to Security by Mary Ann Davidson (small print, pg 15). I kind of feel sorry for her - she must have felt it her duty to defend the "idiocy". Let's see what MAD was saying in early 2002:
Most vendors would never dream of claiming they are Unbreakable, because they put minimal effort into securing their software and —by extension— their customer’s systems. They don’t care, and it shows. They don’t care, and it costs their customers in multiple ways:
- increased “hacker insurance” premiums from running unsecurable software
- billions of dollars in damages from viruses caused by neglect of basic security mechanisms
- increased costs from applying patch after patch in a vain attempt to secure products for which security was an afterthought
Unbreakable is a commitment that Oracle gladly makes for multiplereasons:
- importance of security. September 11 wasa wake-up call for information security as much as physical security. The ultimate terrorist attack is one in which our critical infrastructure is brought down via a cyber attack by an unknown person from an unknown device in an unknown place.
- business reputation. Oracle’s very first customers were among the most security- aware in the world. Twenty-five years after our founding, our core customer constituency still includes the most security-aware customers in the world. Our good name in security is our stock in trade, and ours to lose if we are not Unbreakable.
- cost avoidance. The saying “pay now, or pay later” is especially applicable to security. It is far cheaper for our customers —and for us— that Oracle builds security correctly the first time,than to try to patch it after the fact.
Those who deride Unbreakable as a marketing gimmick should ask the question: why doesn’t every vendor commit to make their security Unbreakable?
Okay, good question, MAD. Now, this is just a guess, mind you but just maybe, and I say maybe, companies avoid a public commitment on Unbreakable because ... THEY WOULD LOOK LIKE IDIOTS.
SecurityX - proudly serving up security skepticism with a side of sarcasm