Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company’s proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.
Advertisement
Davidson hates code analysis, as she makes clear in other blog posts.
“I’m not beating people up over this merely because of the license agreement”.
The CSO also said that the company had witnessed a large amount of consultants and customers who are aggressively reverse engineering Oracle’s software simply to search for vulnerabilities in the system’s software.
Davidson, in contrast, indicated in her post that certain security research violates Oracle’s intellectual property rights.
“Prosecuting security researchers who try to report vulnerabilities to you is counterproductive for vendors and their customers in terms of security”, said Katie Moussouris, who helped launch Microsoft’s bug bounty program and is also chief policy officer of the HackerOne program, which handles rewards for those who report vulnerabilities in Yahoo, Adobe, Dropbox and Twitter products. “Many companies are screaming, fainting and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure”.
The license forbids anyone from doing any kind of code analysis irrespective of its importance that any customers would think of it. It remains to be seen whether its customers, as well as, independent researchers would take this diktat as kindly.
According to the CSO, while this behavior was understandable given the pace at which new security threats are emerging, scanning the system for security bugs is just not necessary for customers or consultants to do since Oracle has always kept the level of security threats under control. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure.
“We removed the post as it does not reflect our beliefs or our relationship with our customers”, Edward Screven, executive vice-president and chief corporate architect, said.
Oracle did not immediately respond to PCMag’s request for comment.
The tone of the original blog post took many in the security industry by surprise.
“Application security is an enormous software supply chain issue for both enterprises and software vendors because we all rely on software provided by others”. She continued to write that security practices, including encrypting sensitive data and “applying relevant patches” would be a better use of resources. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities. Davidson pointed out the licensing agreement that the customers has entered into with the company.
Despite Davidson’s resolute security position, Oracle recently announced 193 critical security fixes, including 25 for Java, 23 of which were thought to be remotely exploitable.
“It’s incredibly arrogant for Oracle to suppose that they have all the answers and that their IP protections are sufficient and proper to guard against bad guys hacking your organization”, said Jonathan Feldman, CIO at the city of Asheville, N.C. “We know it’s stupid”.
“They can’t be the only outlier on this and not engage the community”.
Advertisement
There could be a positive outcome from all this, however. “I’m hopeful that this whole thing will lead to a turnaround”, Wysopal said.
