A recent blog post written by Oracle’s CSO caused a heavy storm in the infosec industry. Many people (mis)understood the blog post as a direct attack against security researchers, crowd vulnerability hunting and all sort of Bug Bounties in general.
Eduard Kovacs compiled a great summary of industry reactions to the event in his article last Friday. On the Internet, the debate mainly reduced to a “pen testing vs. bounties” Holy War and discussions about the legal consequences of EULA violation. “Radicals” from both sides of barricades poured oil on flames, some by recommending the restriction of any type of security research and jailing any perpetrators, others by calling the community to release zero days in the wild for revenge. Both approaches are far from being constructive, and will hardly improve global Internet security.
[ ALSO ON CSO: Why Oracle CSO attempt to shoot the messenger is misguided ]
However, I don’t think that Mary Ann Davidson intended to insult or criticize security researchers or Bug Bounties. The key message, if we read between the lines, is pretty different: the security of [all] our products is not the main priority for our business (important: it does not mean that Oracle doesn’t care about security of its products). Let’s try to understand this very serious and very important message for our industry. We will analyze the blog post not from a technical point of view, but from a business and financial perspective only, as today economy and cybersecurity are intertwisted.
First of all, it’s very important to define the role of a CSO in any business. CSOs are employed and paid to prevent their business from financial losses caused by hacking and insider attacks, or by their consequences. Differently from technical staff, a CSO doesn’t really care about vulnerabilities and attack vectors, but rather about their impact on corporate business and corporate cash flow. If vulnerability remediation costs $100, and the maximum impact it may have on business within one year is $10, very few businesses can afford to patch it. Information security just serves business needs and priorities, and not vice versa. Representing a vendor company – I wish the things were different, but that’s the reality we have.
Cybersecurity has never been the main business priority for majority of Oracle’s products and solutions: it’s enough to have a quick look at the OSVDB website and to follow their blog to understand this. Nevertheless, if you take a quick look on Oracle 10 years stock performance – you will see recurrent growth of performance, and market capitalization of $170 billion.
Customers are selecting Oracle for other competitive advantages that others cannot offer on the market. I spoke to our customers who paid hundreds of thousands or even millions of dollars for Oracle products and asked them why they had selected Oracle. Nobody replied “for security”, however many listed some other strategic business advantages Oracle offered for their particular business needs. Yes, there are customers who select Oracle’s platform for “political reasons” dictated by their corporate headquarters, but their HQs still selected Oracle.
Oracle has conducted very successful and profitable business for dozens of years, without cybersecurity being their main business priority for every product they have. Oracle devotes its internal security resources to what the company considers most important for their business continuity, profitability and cash flow. Sounds a bit unfair? Agree, but that’s how global markets works.
At the end of the day, why should they change their strategy? Any reorganization of business is very expensive and risky, especially for such well-established giants like Oracle. And if at the end of the day Oracle will fail because of such a reorganization – who will take the responsibility and employ all its security engineers? Who will feed their families and kids? Not even mentioning who will pay security researchers or security companies selling security auditing for Oracle customers.
The now infamous blog post compared Bug Bounties with “rock bands” not because Oracle disrespects them (at least I hope not), but because from a business perspective Oracle can buy all Bug Bounty companies at once without seeing any impact on their financial performance. Yes, The Beatles made a revolution and proved that a rock band can master the world. However, how many rock bands besides The Beatles can you name today that have done the same? Definitely much less than existed.