Dailydave mailing list archives
Re: Moot choices, a sort of DD media party
From: Matt Hargett <matt () use net>
Date: Fri, 01 Jul 2005 13:51:14 +0000
Cesar wrote:
Just a comment about this articlehttp://www.securityfocus.com/news/11230 I haven't tried the Coverity tool mentined there but ithink naming Oracle as a customer don't have any benefit, the first thing that comes to my mind is that the tool doesn't work well (i'm just describing the message i'm getting, i bet it is a really good tool). I think the marketing guys from that company should think what message the public is getting when naming some customers. It's like saying that the tool was used to audit Internet Explorer 5.X. Who cares Oracle is unbreakable.
Some of us approached Oracle with tools that found real bugs as long as 2 years ago. At the time, they were interested in knowing what the bugs were but not in buying the product for ongoing use. Many people we spoke to there were very interested, but it always hit a brick wall with a certain executive.
Amusingly, this same executive has had interesting things to say in public on the matter in contrast to her private comments. "What this industry needs is tools to help developers find the bugs and and teach them how to fix it." was something said 2 years ago or so at Blackhat. Tools were available then that could've prevented some of the exploits seen in the wild, including the 15-year old PC-Lint or even the now 5-year old Hailstorm. I'm not saying our product (Logiscan, then BugScan) did the most in-depth of analyses at the time, but at that time Oracle was so riddled with low-hanging fruit exploits that it was quite effective. The new versions we've released over the last few months are extremely effective, probably catching the next wave of vulnerabilities.
Recently, at the Software Security Summit, this same executive said "Thank god for Kleiner-Perkins and their funding of startups in this space." KP has funded only one company in this space, and it isn't the one that is referenced in the article above. One might speculate that this Oracle executive is setting up a landing pad at a future KP-funded company with such proclamations.
Since the initial contact, we have seen customers analyzing all kinds of COTS software -- Oracle included. It honestly doesn't matter if the vendors use these tools or not -- the consumers will and are, and are already making purchasing decisions based upon this information and the reaction of vendors they report the issues to. While it would have been nice to help out Oracle 2 years ago, we're having the same impact of securing their customers by putting the product in the customers' hands instead.
Anyways, I thought the binary diffing article was actually pretty good. I'm glad to see the subject and Halvar's work getting the broader attention it deserves. (Mostly for selfish reasons, of course ;>)
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Moot choices, a sort of DD media party Dave Aitel (Jul 01)
- <Possible follow-ups>
- RE: Moot choices, a sort of DD media party Aleksander P. Czarnowski (Jul 01)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Message not available
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Aviram Jenik (Jul 02)
- Re: Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- RE: Moot choices, a sort of DD media party Cesar (Jul 01)
- Re: Moot choices, a sort of DD media party Matt Hargett (Jul 01)