Thursday, May 24, 2007


It's hack-ish (not meaning hacker-ish) to pick on Oracle for their "unbreakable" branding claim. But until Oracle gets to a place where they can fix buffer overflows in less than a year and XSS in less than 4 years, they really need to put a muzzle on their people when it comes to talking publicly about security.

I say this because the un-flapp-able Mary Ann Davidson gave the keynote at AusCERT 2007 and - I kid you not - compared software to US Marines. I don't think I disagree with the spirit of Mary Ann's point in her speech, but the irony of the situation is overwhelming. Seriously, either she went rogue and hoped nobody would notice, or Oracle needs new PR people. Someone should've talked her out of this.

Oracle is easily the least cooperative of the big vendors when it comes to security. Sure, Apple's been vilified recently for playing hardball with security researchers, but at least they release patches! Oracle's name is mud with researchers and bug reporters - just ask David Litchfield. (PDF link) And given their reputation, one they've spent the past decade earning, Mary Ann Davidson saying,

"Why do we need all these [security] products in the first place? Because software can't defend itself."


"You are going to have to have some kind of proof that you paid attention in development - even to the level of training people and what kind of software lifecycle you have." somewhere between hilarious and offensive. Before Oracle officers go around touting vendor-driven defenses, perhaps they ought to spend a little time talking about investing in software QA & bugfix processes and resources. This argument is already over. Microsoft has spent the past 5 years showing the world that you can solve security problems by throwing money at them. So Oracle, it's time to take your own medicine and step up.

In other words, it's time for Oracle to clean up their own backyard and Mary Ann Davidson needs to get the hell off my porch.

No comments: