[ISN] Oracle's security chief lambastes faulty coding

From: InfoSec News (isn@private)
Date: Fri May 26 2006 - 02:05:31 PDT


By Jeremy Kirk
IDG News Service

Mary Ann Davidson, chief security officer for database giant Oracle,
remembers the first time she heard her company's marketing scheme that
advertised its database products as "unbreakable."

"I think my response was 'What idiot dreamed this up?," Davidson said
Thursday at the W3C conference in Edinburgh, Scotland.

If civil engineers built bridges in the same fashion in which software
developers write code, people would face the "blue bridge of death"  
every morning going to work, Davidson said. Software developers, she
noted, tend to laugh nervously when they hear the analogy -- an
insider reference to what programmers call the blank, "blue screen of
death" on a PC display when Windows fails.

But Davidson, who commands a security unit responsible for database
applications used by multinational companies and governments, said
developers often have a blind eye for security. Hackers are proving
ever more capable of taking advantage of poorly written software, and
it's naive for developers to think those holes won't be exploited, she

"The mentality needs to change," she said.

The financial cost of faulty code in software is staggering. The
National Institute of Standards and Technology, a U.S. government
agency, estimates computer security problems cost between $22.2
billion to $59.5 billion per year, Davidson said.

The problem of insecure software starts with how software developers
are taught at universities and goes straight through to systemic
vendor attitudes, Davidson said.

Software coders at Oracle often need remedial coding education after
they are hired since they don't consider how "evil" input could affect
their products such as databases, Davidson said. Universities are not
teaching secure coding practices and are reluctant to change their
curriculum, she said.

Vendors are pressured to move products into the market as quickly as
possible, and often lack the tools to build better ones, Davidson
said. As a result, software development is reaching a "tipping point"  
where poor security is a board-level issue.

The result of bad code means spiraling patching costs for both clients
and companies such as Oracle. Davidson said the record for fixing one
defect was 78 patches, which cost the company around $1 million.

"I don't hate protecting our customers, that's important, but what a
waste of resources to try to band-aid after the fact something we
should have caught earlier," she said.

As a result, Oracle has implemented numerous measures to produce
better code. Oracle created a 200-page guide on coding standards. An
in-house hacking team pokes products for holes in live hacking
sessions. Developers up to senior vice presidents must participate in
educational Web-based classes.

"We use our own dumb-ass mistakes as examples," Davidson said.  
"Because if you don't do that, developers think this is an academic

The company uses new in-house tools to looks for buffer overflow
vulnerabilities and SQL injection attacks. It also employs software
from Fortify Software to scan for problems in Oracle's 30 million
lines of code, she said.

The environment around security is getting better, she said. A few
years ago, books on security were scare. But the implications of poor
security -- and an entrenched attitude that frequent patching is
acceptable -- are too costly.

"My goal is to be out of a job," Davidson said.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Fri May 26 2006 - 02:49:57 PDT