Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [WEB SECURITY] Re: Oracle in war of words with security researcher

Re: [WEB SECURITY] Re: Oracle in war of words with security researcher

From: Andrew van der Stock <vanderaj_at_greebo.net>
Date: Sat, 28 Jan 2006 12:16:03 +1100

I will stick my foot in here.

Personally, I see this as Oracle's CSO's fault. She's had enough time
in the job to improve Oracle's:

* Pro-active training for their own devs, so they can find and fix
security bugs on their own.

* More than enough time for products like 10g to have a proper
security architecture from the get go, so that it presents minimal
risk out of the box, and adequate security controls once in
operation. It doesn't really improve the security story over 9.2.

* Security test teams. She's been using the "time to test" product
excuse for too long. Oracle is a great believer in outsourcing to
India, it doesn't take that long to hire enough capable talent in
India to test their all their products carefully and thoroughly.
Indian CS grads are the equal of any country, so I find this excuse
to be at best worn out. It's easy to fix lack of testing resources.

* improving security in existing supported products so that
implementing Oracle products doesn't take so long to securely
implement (ie just as one example: no default accounts... at all. See
Pete Finnigan's site for the 600 default accounts they ship today)

* Improving security advice by commissioning workable security
guides. The existing guides are better than nothing, but I get more
from Pete Finnigan's site than Oracle's.

* Implementing necessary security features by default, rather than as
an optional "Advanced Security" pack that no one uses as few know of
it, and even less buy it.

* Communicate with customers about security pro-actively and openly.
I don't ever hear from them despite being in my very large Bank's
security team. As we are responsible for security, we NEED (not want)
all the details Oracle is hiding from us. Not knowing places us at
considerable risk. We are a *very* large customer, and we demand to
know, not be lied to. I will push this through the correct channels
in my bank on Monday.

* Improve responsiveness to researchers and ditch their poor attitude
to professionals such as ourselves. 800 days for a fix is ridiculous
and dangerous to customers who use Oracle's products for mission
critical stuff like we do. Not having confidence in a key component
of our IT systems is unacceptable. 600-800 days is, in my personal
view, negligent.

I think Oracle should find another CSO, one who will address Oracle's
security not as a problem to be swept under the rug, but as an
opportunity for market leadership and as a benefit to customers to
reduce implementation and operational costs. Security is about trust,
and Oracle's security woes have abused and eroded that trust.

I believe it is time for Mary Ann Davidson to stand down. She's had
more than enough time to demonstrate her leadership at Oracle and
turn their poor security record around. She's failed Oracle's
customers for too long, so it's time to let someone else have a shot
at it.

thanks,
Andrew

On 28/01/2006, at 10:59 AM, Valkyrie wrote:

> Is this truly a case of Oracle's people being terrible to deal with
> when it comes to security research and response, or is it more
> toward the corporate culture that may influence how quickly the
> organization responds to issues? I could contend the same thing
> for several enterprise software and security software/hardware
> vendors presently in the IT space. A culture of trusted advisory
> and responsiveness to end users just doesn't *seem* to be on the
> "Top 5 Initiatives" list. Again, my assertion goes back to failure
> to have received a logical response to the question, "How long is
> too long to fix your stuff?" Martin has highlighted some
> excellent points from what may be a vendor perspective, however,
> those points do not necessarily help resolve this issue.
>
> Regards,
> valkyrie
>
> Byron Sonne wrote:
>
>>> This isn't picking on Oracle, this is true for all
>>> vulnerabilities in
>>> widely used publicly available products.
>>
>>
>> Oracle *should* be picked on though: they're terrible people to
>> deal with when it comes to security research.
>>
>> ---------------------------------------------------------------------
>> The Web Security Mailing List
>> http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>
>
> ----------------------------------------------------------------------
> ---
> This List Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web
> application security testing suite, and the only solution to
> provide comprehensive remediation tasks at every level of the
> application. See for yourself. Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?
> id=701300000003Ssh
> ----------------------------------------------------------------------
> ----
>
>

  • application/pkcs7-signature attachment: smime_p7s
Received on Jan 27 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]