[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Oracle - the last word

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <dbsec@xxxxxxxxxxxxx>, <ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Oracle - the last word
From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
Date: Wed, 10 May 2006 03:33:39 +0100

A few people have asked me recently what it is I'm actually looking for fromOracle. I have a nice little laundry list of things, of course, but mostlyall I've been waiting for is to hear Oracle to say, "We admit we have aproblem with regards to security, but here's our strategy and we're going tomake it better." In that simple admission would lie the cessation of mycriticism of Oracle. But, let's face it, it's not a simple admission inreality. As a business, Oracle can't say, "Oops. We've been mistaken allthese years - turns out our database isn't a secure as we actually thought."A company like Microsoft can, and indeed did, something just like that buttheir business was never built on what was supposed to be a reputation forand a foundation of security. It would be business suicide for Oracle to dothis.

After much rumination, the obvious struck me: Oracle could make theirproduct more secure (and improve the behind-the-scenes processes that enablethem to deliver a secure product) and all the while admit to nothing. WhilstI've been throwing tantrums at their failure to admit to the truth, Oraclehas been working on doing this. It almost passed me by. They're not thereyet but they are getting closer. Let me put that in concrete terms: WhenOracle 10g Release 1 was released you could spend a day looking for bugs andfind thirty. When 10g Release 2 was released I had to spend two weekslooking to find the same number.

Soon, and I have no time frame in mind for "soon", Oracle will have"arrived" at a point where sitting down and finding a single bug will take amonth - and not once would they have had to admit to having problems withsecurity. They'll have solved it. Their tools will be tight and theirprocesses slick. They'll almost be Unbreakable.

I'm sure the strategists at Oracle must have realized this - for anorganization such as Oracle it's really the only reasonable optionavailable. Okay, it's not the open strategy that I'd have preferred but, inthe end, the journey of how they got/get there, to a secure robust product,is irrelevant.

Another thing that struck me was the amount of effort and time that it musthave taken to get a lumbering stegosaurus of a beast like Oracle to turnaround. I can only assume that, as CSO, Mary Ann must credited with that,and as such, I revise my position on her. Dare I say it, well done, Mary.

I realize now that this is how it's going to be - I'm not going to get mymuch sought after admission but at least we get a better, more secureproduct we can be more confident in. Besides, I weary of "Oracle bashing"and I've no doubt that I've wearied many here on these list over the years,too. NGS will, of course, continue to research and find Oracle securityflaws, report them and help Oracle to fix them but, from now on, I'll leavethe proselytizing to others. Oracle have moved sufficiently forward enough,and with enough momentum (now), that I believe they've passed the point ofno return and can do nothing but eventually end up where we all want them tobe.




Cheers,

David Litchfield

NGSSoftware Ltd

http://www.ngssoftware.com/

+44(0) 208 401 0070

Prev by Date: Hackmaster Group DMCounter Remote File Include
Next by Date: Re: Firefox 1.5.0.3 code execution exploit
Previous by thread: Hackmaster Group DMCounter Remote File Include
Next by thread: Re: Oracle - the last word
Index(es):
- Date
- Thread