Security industry reacts to Oracle’s CSO missive

Reactions to the controversial post diverse and emotional

1 2 Page 2
Page 2 of 2

As did Adrian Sanabria‪, senior analyst, enterprise security practice at The 451 Group. “I object to people calling her crazy and nutty. I think her argument was well put together (though fatally flawed) and the post was well written - entertaining, even. Forget her point-of-view and the EULA for a moment. The REAL issue is that the CSO of a large corporation made a bold statement on a major issue and her company pulled her statement and publicly denounced her views,” Sanabria said.

Andrew van der Stock‪, project lead, OWASP Developer Guide at the OWASP Foundation said, “The things I agree about is that there needs to be a better way of reporting vulnerabilities. Just dumping Veracode or Nessus output on a vendor without making sure it's real is stupid,” he said. “I also agree with her that folks should pay attention to their own stuff first and foremost, but where we part company is if you stumble across a security defect in a database, that absolutely should be reported and possibly rewarded, not threatened with a sinning letter. So no reporting vulnerabilities without a Proof of Concept and a repeatable write up,” he said.

Few would disagree, and based on interviews with software makers over the years, there is no shortage of what many believe to be less than helpful submissions by bug finders who run software analysis tools and submit findings that are nothing more than false positives. “In all professions there are charlatans, jack-asses and frauds who shouldn't be doing anything more than grabbing people coffee - but there are also a lot of highly qualified, well intentioned security researchers that do offer a tremendous value to the community," says Amrit Williams DePaulo, ‪chief technology officer at CloudPassage.

‪Ira Winkler‪, president at the security awareness firm Secure Mentem, argued that no matter how irritating bug submissions are, Oracle should be able to adequately manage the situation. “Oracle is a very large and rich company, with products that are widely distributed and used for critical applications. Period. They have a responsibility to make their software as strong as possible,” Winkler said.  “There might be a lot of false positives and associated costs, but that is a factor of [their selling] a lot of software that has a lot of users. It is a cost of doing business. I'm sure all software companies have the same false positive reports. I don’t hear Microsoft et al. complaining."

Gene Spafford, computer sciences and electrical and computer engineering professor and executive director at Purdue University, said that software vendors have brought much of the current bug finding efforts and environment upon themselves. “If vendors really applied all we know about how to build robust, secured software — including design, testing, and careful deployment — Mary Ann's position would be quite sensible. The sloppy, slap-dash, first-to-market coding in most products plus dump-it-on-the-users EULAs mean that we have developed a culture where lots of parties feel the need to probe and test things on their own,”  Spafford said.

‪“If she had concluded with a statement like, 'Please continue to feel free to send us the security bugs you find and we'll get them fixed, but please don't waste our time with 500 pages of un-validated findings', it would've been a wee bit more palatable,”said David Litchfield,‪experienced software security researcher and consultant at Datacom TSS, who has been known to find a great number of Oracle software vulnerabilities himself.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!