http://www.computerworld.com/article/2975780/security/oracle-still-clueless-about-security.html
By Steven J. Vaughan-Nichols
Computerworld
Aug 25, 2015
Oracle’s chief security officer, Mary Ann Davidson, recently ticked off
almost everyone in the security business. She proclaimed that you had to
do security “expertise in-house because security is a core element of
software development and you cannot outsource it.” She continued, “Whom do
you think is more trustworthy? Who has a greater incentive to do the job
right — someone who builds something, or someone who builds FUD around
what others build?”
Oh. Wait. That’s what Davidson said in 2011!
What she said in 2015 was that security reports based on
reverse-engineering Oracle code and then applying static or dynamic
analysis to it does not lead to “proof of an actual vulnerability. Often,
they are not much more than a pile of steaming … FUD.”
Davidson’s blog post is one long rant that boils down to, “How dare people
analyze Oracle code?” “I have seen a large-ish uptick in customers reverse
engineering our code to attempt to find security vulnerabilities in it.
<Insert big sigh here.> This is why I’ve been writing a lot of letters to
customers that start with “hi, howzit, aloha” but end with ‘please comply
with your license agreement and stop reverse engineering our code,
already.’”
Because God forbid someone should find a security hole!
Oracle backed away from Davidson’s position in less than 24 hours. “We
removed the post as it does not reflect our beliefs or our relationship
with our customers,” wrote Edward Screven, Oracle executive vice president
and chief corporate architect.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
