The Oracle blog mess is missing a global business perspective

When financial profit outshines security best practices.

1 2 Page 2
Page 2 of 2

Another important thing to mention is that somebody must pay for every discovered security flaw. When I started as a penetration tester and security researcher, I failed to understand this. Later, getting more practical experience as a business owner and manager, I started seeing vulnerability research and remediation from both sides of barricades. Once a vulnerability is reported to vendor - the company has to pay for the time of competent security people to investigate and properly patch the issue. Those people are expensive and are usually busy with higher priority issues from a business perspective.

Sometimes it’s more critical for a business to fix a tiny XSS rather than patching a series of critical RCEs. While the majority of bugs and security flaws submitted to Oracle must be quite difficult to read and time-consuming to analyze, it’s not a big surprise that Oracle is not very happy about those submissions that they do not consider a high priority for their business. Again – yes in a perfect world we shall write flawless code and leverage everyone’s input to make our software more secure – but unfortunately we are not living a perfect world.

I recently spoke with a global CSO of one of the largest banks in Central Europe about DAST and SAST testing for their external web applications. Being a security perfectionist, I offered to start with SAST and to terminate with DAST, arguing that some types of vulnerabilities and attack vectors can only be detected with proper source code analysis. The reply was very clear and straightforward: “We are not going to pay to detect and especially to remediate vulnerabilities that can be exploited only with access to our source code – we don’t have the money for it”.

Can we criticize this approach when major banks are cutting tens of thousands jobs at once? I don’t think so.

There are still some idealists and perfectionists (including myself) in the industry, but the reality is different: at the end of the day, every business is about money and profitability. Black Hats conduct APTs because somebody pays them. White Hats release new products and solutions to prevent those APTs because customers pay them, and even Bug Bounty researchers conduct research because they are remunerated somehow. Until today, nobody has managed to invent anything that can replace Maslow's pyramid of human behavior.

One may argue that Black Hats will always conduct their own vulnerability research and outperform companies that don’t set cybersecurity as their main business priority for every single product. This is perfectly correct. However, in my penetration testing practice I can hardly remember a single properly configured and patched Oracle system that really required a zero day to compromise it. Moreover, there are dozens of more efficient and less expensive ways to launch APTs, without performing reverse engineering of Oracle products. While the financial sector takes on average 176 days to patch security vulnerabilities, Black Hats don’t really need zero days anymore.

Yes, Oracle cannot compete with Google that has information security as one of the most important business priorities. But from a business perspective, Oracle does not need to compete with Google security team - their business models and markets are totally different.

Last, but not least: can someone create a real competitor to Oracle with emphasis on information security, and make a profit? I doubt it.

Shall Oracle be more constructive and less offensive in their blog posts? Definitely yes. Otherwise they will face a wall of misunderstanding.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
21 best free security tools to make your job easier