Forwarded from: Chris Wilson <chrisat_private> On Tue, 15 Jan 2002, InfoSec News wrote: > http://www.businessweek.com/bwdaily/dnflash/jan2002/nf20020115_8894.htm <snip> > Calling your code "Unbreakable" is like having a big bull's-eye on > your products and your firewall. Obviously, nobody wants to be a > target. But when we thought about it, we thought what does > "Unbreakable" really speak to? It speaks to product assurance. I > stand behind that commitment and our products. So Ms. Davidson is willing to stand behind that which she knows to be untrue? > A: Well, think about what the opposite of "Unbreakable" would be: > "Our products can be broken into, and we don't care." Firstly, is that really the "opposite"? I think "breakable" would be the direct opposite, and whether or not anybody cares it orthogonal to the breakability of the product. Secondly, this is not an issue of black or white. I think everyone who understands practical software security would agree that there is no absolute security, and "absolute" insecurity probably doesn't exist in practice either. So why bring the extremes into the argument at all? Oracle, like all other software in production use in the real world, _must_ occupy some point in the middle ground. > Look, our core customers are among the most security-conscious in > the world. I respectfully and somewhat lovingly refer to them as > the professional paranoid. I'm not allowed to say who they are, > but you can guess. And that excuses Oracle's lying to them about the security of their product? Or are they expected to ignore any such claims? > Even if we don't do things perfectly but we do it much better than > our competition and customers purchase Oracle on that basis, you > will see the overall level of security improve in the industry. > "Unbreakable" gives us something to live up to. That's certainly a worthy goal, and I would be greatly impressed if Oracle (or anyone) could produce a database server with NO bugs. I do not expect it to happen anytime soon, and it certainly isn't true right now. So is it responsible to claim that a product has certain features when in fact they are a distant goal? > It really does concentrate the mind wonderfully. Perhaps Ms. Davidson suspects that Oracle is to be hanged in a fortnight? (apologies to Samuel Johnson). > The general thought is don't embarrass the company. Nobody wants > to be the group that makes us violate it. I'm afraid it's much too late. It is already violated. > A: He has always been concerned about it, and he has always been > very knowledgeable about it. He knew that we had a security group, > and he knew what we built, down to a fairly technical > understanding of the product. But I think "Unbreakable" is a > reflection of a big change. [It used to be] security was > something that only the professional paranoid worried about. Now > with the growth of the Internet, security is something that > everyone now has to be concerned about. You must admit, from a > marketing standpoint, it has a punchy sound. It's a lot better > than "Pretty Darned Good Security." PGP sells pretty well with an honest name (Pretty Good Privacy). Why does Oracle need a dishonest slogan to sell a product which is already doing pretty well? Also, isn't it illegal to use misleading advertising? > Q: How did Oracle go about securing its products? What did you do > differently? > > A: Not that much different, actually. We used the same processes > we have used before in terms of putting secure programming and > development standards in place. I am _so_ encouraged by this. "Instead of building security into the system from the ground up, we retrofitted it using standard design methodology". > We are being more stringent and, dare I say, draconian, in making > sure people adhere to coding standards and product check-off lists > before we ship products. But the product still shipped with several buffer overflows. Was the code audited by outside contractors? > A: In addition to having coding standards, we make every group > that owns a line item in our product components complete a > questionnaire that is geared toward making sure we avoid the top > 15 stupid security mistakes companies get burned on. So Oracle isn't really unbreakable, just slightly defended against the most common 15 attacks. I'd venture that there are more than 15 kinds of mistakes a programmer can make which introduce security vulnerabilities, and that some of them are not documented anywhere yet. > The check-offs go down to things like forced password changes for > default accounts. [While] a lot of it is Security 101, some of it > is more technical. With those lists, it's 100% compliance. We are > not going to allow any deviation at all. Why does Oracle ship with a default login/password of "scott/tiger"? Surely it would be better not to have such a standardised security hole? And why do administrators have to correct Oracle's mistakes by manually deleting the account? > A: You can't slap it on at the end. If you don't commit to a > secure product [throughout its entire life cycle], you can't > engineer it in at the end and expect to have secure products. Ahh, some sense at last. I guess Ms Davidson does know what she's talking about. So why did Oracle do it that way anyway? > A: The line in real estate is "location, location, location." In > security, it's not as straightforward but it's the same idea -- > "culture of security, culture of security, culture of security." > If you don't maintain a corporate culture that puts security as an > important thing, you can't convince your developers to make your > code as bulletproof as possible. And if developers don't know how to make their software secure (and most don't, including myself) then how can they be expected to live up to their "corporate culture"? Perhaps Oracle should focus on making security a process rather than a corporate culture. At least it's better than defining security as a product! > Q: Has security sealed any deals for you with people who were > sitting on the fence? > > A: Absolutely. You have seen our marketing campaigns from the > past. I was joking we should run one that said two out of three > e-paranoids run on Oracle. I think Ms Davidson might actually believe that to be the case, which would be very unfortunate. I for one only trust open source software to have any security at all, and only then because if required to, I could audit the code, or subcontract someone to do so. Ciao, Chris. ___ __ _ / __// / ,__(_)_ | Chris Wilson <chrisat_private> | Phone: 01223 503 190 | / (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd | \ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK | - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 03:53:41 PST