Oracle, still clueless about security

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html

By Steven J. Vaughan-Nichols
Computerworld
Aug 25, 2015

Oracle’s chief security officer, Mary Ann Davidson, recently ticked off 
almost everyone in the security business. She proclaimed that you had to 
do security “expertise in-house because security is a core element of 
software development and you cannot outsource it.” She continued, “Whom do 
you think is more trustworthy? Who has a greater incentive to do the job 
right — someone who builds something, or someone who builds FUD around 
what others build?”

Oh. Wait. That’s what Davidson said in 2011!

What she said in 2015 was that security reports based on 
reverse-engineering Oracle code and then applying static or dynamic 
analysis to it does not lead to “proof of an actual vulnerability. Often, 
they are not much more than a pile of steaming … FUD.”

Davidson’s blog post is one long rant that boils down to, “How dare people 
analyze Oracle code?” “I have seen a large-ish uptick in customers reverse 
engineering our code to attempt to find security vulnerabilities in it. 
<Insert big sigh here.> This is why I’ve been writing a lot of letters to 
customers that start with “hi, howzit, aloha” but end with ‘please comply 
with your license agreement and stop reverse engineering our code, 
already.’”

Because God forbid someone should find a security hole!

Oracle backed away from Davidson’s position in less than 24 hours. “We 
removed the post as it does not reflect our beliefs or our relationship 
with our customers,” wrote Edward Screven, Oracle executive vice president 
and chief corporate architect.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/