[attrition] rant: A Decade of Oracle Security

[lyger]

http://attrition.org/security/rant/oracle01/

Mon Jul 28 13:57:15 EDT 2008
Jericho (Security Curmudgeon)

Oracle Corporation, one of the largest software companies in the world, 
has been providing database software for 30 years. What began as a U.S. 
intelligence agency funded relational database designed on a PDP-11 and 
never officially released, later turned into perhaps the largest and most 
prevalent commercial database used around the world. With global companies 
relying on Oracle databases for information management, the need for 
database security is critical. Despite that need, Oracle products have 
been plagued with all manners of security vulnerabilities that demonstrate 
Oracle products were not designed with security in mind. As new versions 
and new products are released, each is found vulnerable to critical issues 
that allow for trivial denial of service and complete database compromise.

The last decade of Oracle product security has been dismal. In the midst 
of CEO Larry Ellison's promises that their database product was 
'unbreakable' and CSO Mary Ann Davidson's repeated claims that security is 
a core facet of their software lifecycle, security researchers continue to 
find critical remote vulnerabilities in a bulk of their products. The 
history provided here is to help make Oracle customers aware of just how 
little security really matters to Oracle Corporation.

It is past time for their customers to take the advice of Davidson and 
demand better from vendors. It is time for Oracle customers to demand the 
appointment of a Chief Security Officer that will stop the outright lies 
and spin-doctoring and turn their attention to the security of future 
products. Read the executive biography of Mary Ann Davidson and determine 
if she is living up to her job duties.

"We are not just a really good commercial database but also a very secure 
commercial database." -- Mary Ann Davidson, 30th Anniversary soundbyte 
quote - 2007.16.04

[...]