[Infowarrior] - Oracle CSO: Pot, Kettle, Black

Richard Forno rforno at infowarrior.org
Fri May 26 19:05:03 EDT 2006 

(this, coming from a company with a reportedly-horrendous track record at
issuing patches in a timely manner -- and for releasing some patches that
don't even work......rf)


Oracle exec hits out at 'patch' mentality

By Jonathan Bennett
http://news.com.com/Oracle+exec+hits+out+at+patch+mentality/2100-7355_3-6077
349.html

Story last modified Fri May 26 11:18:08 PDT 2006

Oracle's security chief says the software industry is so riddled with buggy
product makers that "you wouldn't get on a plane built by software
developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry in which
"most software people are not trained to think in terms of safety, security
and reliability." Instead, they are wedded to a culture of "patch, patch,
patch," at a cost to businesses of $59 billion, she said.

"What if civil engineers built bridges the way developers write code?" she
asked. "What would happen is that you would get the blue bridge of death
appearing on your highway in the morning."

Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday,
Davidson also touched on the wider subject of the state of the software and
security industries.

The pressure to deal with the problem of unreliable and insecure software is
building, and the industry has reached a "tipping point," she said.

It is now "chief executives who are complaining that what they are getting
from their vendor is not acceptable, in terms of software assurance,"
Davidson said.

Things are so bad in the software business that it has become "a national
security issue," with regulation of the industry currently on the agenda,
she said. "I did an informal poll recently of chief security officers on the
CSO Council, and a lot of them said they really thought the industry should
be regulated," she said, referring to the security think tank.

But if regulation is coming, the industry has only itself to blame, she
said.

"Industries don't want to be regulated, but if you don't want to be
regulated, the burden is on you to do a better job."

Davidson also hit out at the "hacking mentality," and the incidence of
exploits that could cause "a million dollars worth of damage...passed around
freely at conferences." She said there was a major difference between people
working in the software business and engineers who "are trained to think in
terms of safety, security and reliability first."

She claimed that the British are particularly good at hacking as they have
"the perfect temperament to be hackers--technically skilled, slightly
disrespectful of authority, and just a touch of criminal behavior."

Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.

More information about the Infowarrior mailing list