[Infowarrior] - A Decade of Oracle Security

Richard Forno rforno at infowarrior.org
Wed Jul 30 00:23:48 UTC 2008


http://attrition.org/security/rant/oracle01/

Mon Jul 28 13:57:15 EDT 2008
Jericho (Security Curmudgeon)

Oracle Corporation, one of the largest software companies in the world,
has been providing database software for 30 years. What began as a U.S.
intelligence agency funded relational database designed on a PDP-11 and
never officially released, later turned into perhaps the largest and  
most
prevalent commercial database used around the world. With global  
companies
relying on Oracle databases for information management, the need for
database security is critical. Despite that need, Oracle products have
been plagued with all manners of security vulnerabilities that  
demonstrate
Oracle products were not designed with security in mind. As new versions
and new products are released, each is found vulnerable to critical  
issues
that allow for trivial denial of service and complete database  
compromise.

The last decade of Oracle product security has been dismal. In the midst
of CEO Larry Ellison's promises that their database product was
'unbreakable' and CSO Mary Ann Davidson's repeated claims that  
security is
a core facet of their software lifecycle, security researchers  
continue to
find critical remote vulnerabilities in a bulk of their products. The
history provided here is to help make Oracle customers aware of just how
little security really matters to Oracle Corporation.

It is past time for their customers to take the advice of Davidson and
demand better from vendors. It is time for Oracle customers to demand  
the
appointment of a Chief Security Officer that will stop the outright lies
and spin-doctoring and turn their attention to the security of future
products. Read the executive biography of Mary Ann Davidson and  
determine
if she is living up to her job duties.

"We are not just a really good commercial database but also a very  
secure
commercial database." -- Mary Ann Davidson, 30th Anniversary soundbyte
quote - 2007.16.04

[...]

http://attrition.org/security/rant/oracle01/



More information about the Infowarrior mailing list