OracleOracle CSO Mary Ann DavidsonIn a now-deleted blog post which is still circulating on the internet, Oracle Chief Security Officer Mary Ann Davidson went on a rant about how she doesn’t want Oracle’s customers or outside security researchers to find and report security bugs in Oracle’s software products.
“The security of our products and services has always been critically important to Oracle”, the company said. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others’ if you said it in front of witnesses”.
Titled “No, You Really Can’t”, the post delves into Davidson’s frustrations with customers hiring outside consultants to reverse engineer Oracle’s code.
“If we determine as part of our analysis that scan results could only have come from reverse engineering we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf, reminding them of the terms of the Oracle license agreement that preclude reverse engineering, so please stop it already”, she wrote.
However, talking to CRN, Tarzey (pictured) said Oracle should not only be condoning end users and channel partners who find vulnerabilities in its code, but encouraging the practice. She said that the existing Internet security is sufficient enough to protect and advised customers to take all possible steps to lock down any possible flaw and then consider performing a code analysis. “I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying and mutually-time wasting exercise”, said Davidson in the original post.
The blog, which was quickly removed after publication, argued that “only the vendor” can and should look for bugs in its own software, and that customers “can’t produce a patch for a problem”. “Backlash ensues and they decide to remove it. They get the internets!”
In a statement sent to Channelnomics and attributed to executive vice president and chief corporate architect Edward Screven, Oracle moved to clear up the reasons why it had decided to pull the post.
“Oracle has a robust programme of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure”.
Oracle’s statement paints a rosier picture of its relationship with security researchers than Davidson depicted. However, we were able to discover an archived version of it, which can be read here.
Q. What is Oracle’s policy in regards to the submission of security vulnerabilities (found by tools or not)?
The irony is that Oracle has endured a lot of security vulnerabilities over the years that were only pointed out by these independent researchers, enabling the company to fix things up.
But the argument that intellectual property rights take precedence over security is becoming dated in an age where everything from cars to homes and healthcare equipment can be hacked.
While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.
