Why Oracle CSO attempt to shoot the messenger is misguided

Mary Ann Davidson, CSO of Oracle, unleashed a firestorm of controversy this week thanks to a misguided and ill-advised blog post. Davidson ranted about customers doing independent vulnerability scans to detect flaws in Oracle code and stressed that any poking around in the Oracle code is a violation of the licensing terms of service.

On top of being inappropriate in its tone and unbecoming of a C-level executive at a company like Oracle, the blog post alienates both customers and security researchers in a way that doesn’t benefit anyone. Oracle has since removed the post, but the genie is out of the bottle and the public relations damage is already done.

Davidson explained in her post:

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

To be fair, Davidson is technically correct about the legalities of reverse-engineering the Oracle code as governed by the license agreement. Punishing customers or security researchers for doing due diligence and discovering flaws that Oracle itself has missed, however, is a good way to lose customers.

“Modern security means taking a broad approach and that includes working with the research community. It is common for older companies to fear security researchers,” explained Katie Moussouris, Chief Policy Officer of HackerOne. “However, even companies with older code bases and broad enterprise support and compatibility issues can still make incentives, or bounties, that create a win-win-win between the security research community, the company, and ultimately the customers who benefit from greater security. As I always say, Don’t Hate the Hacker; Hate the Vuln.”

Brenden Vaughan, Director of Threat Research for Webroot, said, “Personally I think it does no one any good to attempt to prevent customers from looking for security flaws in any software or operating system. Cybercriminals will not stop attempting to find vulnerabilities they can exploit, so it is of vital importance that a white hat attempt to find them first.”

Oracle may very well have top-notch developers and security researchers vigilantly analyzing code to identify and resolve all detected flaws. Once software is released in the real world, though, it is subject to unique scenarios and conditions that expose it to risks Oracle may never have considered. Morey Haber, VP of technology for BeyondTrust, stressed that cybercriminals and foreign nations don’t care about Oracle’s licensing agreement. “They will stop at nothing to find a flaw and leverage it against our companies, infrastructure, and government. That’s what keeps hitting the news. So unless we have similar teams conducting the same research and investigation independently, we will be at a disadvantage to their attacks and findings.”

Consensus in the security researcher community generally supports the idea that the issue is more about disclosure—when and how a researcher makes a given flaw or exploit public—rather than the research to discover the vulnerability itself.

Vaughan said, “There is a very strong motivation for security experts to publically release their findings for personal gain and bragging rights among their peers. One need only attend a few of the briefings at Black Hat or Defcon to observe this first hand. It is seen as an achievement to find and demonstrate new exploits.”

Haber sympathizes with Davidson’s perspective—especially for vulnerabilities that are disclosed without adequate time for the vendor to address the issue. “The process really needs to be managed, and not by the independent researcher that finds a vulnerability in the first place. I can only imagine the amount of information that crosses Oracle’s security desk, and the amount of energy it takes to prove or refute a vulnerability claim; especially when the results being submitted are questionable to begin with.”

Haber added, “From my perspective as the VP of Technology, and reading the original post and subsequent reply, this is the best interpretation I can give of their feelings and frustration with the current state of vulnerabilities, disclosure, and due diligence by any company to make secure solutions.”

As it turns out, the wording of the licensing agreement may not give Davidson or Oracle the right to block security research anyway. Moussoris shared that the Copyright Office has had a public hearing and is considering carving out a specific niche within the Digital Millennium Copyright Act (DMCA) exempting security research and protecting security researchers from the sort of legal harassment and bullying Davidson professed.