[ISN] Backing Up Oracle's "Unbreakable" Vow

From: InfoSec News (isnat_private)
Date: Tue Jan 15 2002 - 08:21:16 PST

  • Next message: InfoSec News: "[ISN] [defaced-commentary] WoH makes the "news""

    By Alex Salkever 
    JANUARY 15, 2002 
    It's up to new Chief Security Officer Mary Ann Davidson to make the
    software giant's extremely risky claim stick
    Mary Ann Davidson is one cool customer -- but she has to be. As chief
    security officer for database and business-software giant Oracle, her
    job is making sure that its programs live up to the "Unbreakable"  
    claim that's at the center of an ongoing marketing campaign. The
    pitch, a favorite of Oracle CEO Larry Ellison, seeks to convince
    customers that Oracle software will foil any and all cyberattacks.
    As Davidson well knows, such claims are anathema in the information
    security community, where consensus holds that any piece of software,
    no matter how secure, can be cracked. The boast has attracted a huge
    spike in hacker attacks against Oracle's Web site. The company claims
    that so far, none have been successful. However, security researcher
    David Litchfield recently announced that he found a vulnerability in
    Oracle's application-server software in December, 2001.
    Davidson, one of a handful of women occupying a high rank in the
    information security universe, is unfazed. She started her career as a
    civil engineer working with the Navy Seabees and has spent the past 14
    years with Oracle, where she ascended to the CSO slot in December. On
    Jan. 11, she spoke with BusinessWeek Online Technology Editor Alex
    Salkever. Here are edited excerpts of their conversation:
    Q: So how did Larry Ellison convince you to sign off on the
    "Unbreakable" promo campaign? I would be terrified as a chief security
    officer to do that.
    A: He decided to run "Unbreakable" before I started as chief security
    officer, so I have an easy out. Larry has said publicly that when he
    first proposed "Unbreakable," the biggest pushback he got [inside the
    company] was from the server technologies group, which includes my
    Calling your code "Unbreakable" is like having a big bull's-eye on
    your products and your firewall. Obviously, nobody wants to be a
    target. But when we thought about it, we thought what does
    "Unbreakable" really speak to? It speaks to product assurance. I stand
    behind that commitment and our products.
    Q: Do you really think the product is "Unbreakable," or is it just a
    lot less breakable?
    A: Well, think about what the opposite of "Unbreakable" would be: "Our
    products can be broken into, and we don't care." Look, our core
    customers are among the most security-conscious in the world. I
    respectfully and somewhat lovingly refer to them as the professional
    paranoid. I'm not allowed to say who they are, but you can guess.
    Even if we don't do things perfectly but we do it much better than our
    competition and customers purchase Oracle on that basis, you will see
    the overall level of security improve in the industry. "Unbreakable"  
    gives us something to live up to. It really does concentrate the mind
    wonderfully. The general thought is don't embarrass the company.  
    Nobody wants to be the group that makes us violate it.
    Q: When did Ellison start to become interested in the idea of securing
    things and making security a chief concern?
    A: He has always been concerned about it, and he has always been very
    knowledgeable about it. He knew that we had a security group, and he
    knew what we built, down to a fairly technical understanding of the
    product. But I think "Unbreakable" is a reflection of a big change.  
    [It used to be] security was something that only the professional
    paranoid worried about. Now with the growth of the Internet, security
    is something that everyone now has to be concerned about. You must
    admit, from a marketing standpoint, it has a punchy sound. It's a lot
    better than "Pretty Darned Good Security."
    Q: How did Oracle go about securing its products? What did you do
    A: Not that much different, actually. We used the same processes we
    have used before in terms of putting secure programming and
    development standards in place. We are being more stringent and, dare
    I say, draconian, in making sure people adhere to coding standards and
    product check-off lists before we ship products.
    Q: Tell me more.
    A: In addition to having coding standards, we make every group that
    owns a line item in our product components complete a questionnaire
    that is geared toward making sure we avoid the top 15 stupid security
    mistakes companies get burned on. Some of the check-offs are on the
    propeller-head level, like checking for buffer overflows [a security
    vulnerability where a hacker can overload an entry field with
    characters, causing a computer to crash and possibly allowing
    cyberintruders to break into the system]. Something like 80% of all
    security vulnerabilities published have to do with buffer overflows.
    The check-offs go down to things like forced password changes for
    default accounts. [While] a lot of it is Security 101, some of it is
    more technical. With those lists, it's 100% compliance. We are not
    going to allow any deviation at all.
    Q: What do you think are the broad lessons the software industry could
    learn from your experiences at Oracle and with "Unbreakable"?
    A: You can't slap it on at the end. If you don't commit to a secure
    product [throughout its entire life cycle], you can't engineer it in
    at the end and expect to have secure products.
    Q: What are the three most important steps any company can take to
    build more secure software?
    A: The line in real estate is "location, location, location." In
    security, it's not as straightforward but it's the same idea --
    "culture of security, culture of security, culture of security." If
    you don't maintain a corporate culture that puts security as an
    important thing, you can't convince your developers to make your code
    as bulletproof as possible.
    Q: Has security sealed any deals for you with people who were sitting
    on the fence?
    A: Absolutely. You have seen our marketing campaigns from the past. I
    was joking we should run one that said two out of three e-paranoids
    run on Oracle.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:27:06 PST