Developers ignore their security responsibilities: Oracle

2012-10-16

Michael Lee

http://www.zdnet.com/developers-ignore-their-security-responsibilities-oracle-7000005808/

Software developers are ignoring their responsibilities to protect and design infrastructure that is properly secured, according to Oracle Chief Security Officer Mary Ann Davidson.

Speaking at the Australian Information Security Association's National Conference 2012 in Sydney today, Davidson said that developers, in many cases, were building systems used in key infrastructure without even thinking about security.

"Do we really think that the people that decide [to] have self-driving cars are going to have evil thoughts like 'Gee, I wonder if somebody would use a GPS system [...] to make that particular car have an accident?' Of course not."

"You have accountability. You're building infrastructure. It's not just cool technology."

But according to Davidson, many times, developers take shortcuts, assuming that their applications will only be used in certain ways.

"I used to make a kind of a flip comment about product X: Anybody that buys that and uses it in a SCADA system deserves what happens to them, because [I was] thinking no one would do that, right? And yet, I found that people were doing that."

Davidson said that, upon realising its software was being used for more critical and unexpected applications, it went back and secured them, but that this was only half of the solution to a bigger problem.

She said that, aside from getting developers to start thinking about security right from the early stages of design, organisations needed to listen to their customers, even if it was hard to take criticism on the chin. She said that sometimes, it was what was needed to make developers realise that their code is actually being scrutinised.

"Now, I do have customers that call up and say, 'This product; what did you do? How did you build that?' and so I can't very well complain that now I have more work, because I actually have to meet their expectations — and that's a good thing."

"I'd much rather have somebody ask an intelligent question,n and then they can decide for themselves if it's going to be suitable for their use," she said.

Going further, Davidson said that there was still a ways to go for the security industry in defending itself, drawing on her experience as a former naval officer.

"Every Marine is a rifleman. It means that everybody that goes through Marine training, whether you're an admin clerk, or a sniper, or whatever you do, every one of you has to be able to pick up a weapon and defend, and I think that that's what makes them so lethal. Why don't we build networks that way?"

Part of that reason was that Marines don't consider perimeters to be completely unbreachable, and hence, need to be prepared to defend themselves from attack from the inside. But bringing it back to the organisation level, Davidson said that many organisations still assumed that attackers won't get inside their perimeter, even though they don't have a staff of Marines.

"We have over 20,000 employees. Do you really think every one of them is trustworthy? Don't assume that."

Davidson also said that, when under attack, networks weren't taking advantage of being able to adapt to the situation.

"If you're getting bad input, or evil input [to a device on the network], you're getting intelligence. You should be able to do something with that.

"Hey, I'm under attack. Now what do I do? Maybe I reconfigure myself. Maybe I don't let that person connect again."

Instead, Davidson said that organisations could turn their networks into dynamic, moving targets, to make it much more difficult for attackers to draw a bead on them.

"It's not like the server is going to move from the Austin datacentre off to Norway magically, by itself. When I have a static defence like that, it makes it a lot easier for the attacker than defender. But what if I were able to do things where the network was able to adapt, and I could keep my opponent off balance? We've never really tried this."


main page ATTRITION feedback