[ISN] Software should defend itself: Oracle CSO

From: InfoSec News (alerts@private)
Date: Wed May 23 2007 - 22:58:17 PDT


http://www.zdnet.com.au/news/security/soa/Software-should-defend-itself-Oracle-CSO/0,130061744,339277758,00.htm

By Munir Kotadia
ZDNet Australia
23 May 2007

Applications will have to defend themselves from attack in the future, 
according to Oracle's chief security officer Mary Ann Davidson.

At the opening keynote of the AusCERT 2007 conference this morning, 
Davidson said applications should be more like US Marines.

"Every Marine fights -- whether you are a clerk or a medic, every Marine 
is first and foremost a Marine, which means they know how to defend 
themselves. This is an ethos I really think we are going to need in this 
new world.

"Realistically, why do we need all these [security] products in the 
first place -- because software can't defend itself," said Davidson.

Davidson also suggested that vendors should state the methods they have 
used to try and keep their code as bug free as possible.

"Maybe you can't prove that this product is free of defects but at least 
prove to me that you use these [tools] in its development. You are going 
to have to have some kind of proof that you paid attention in 
development -- even to the level of training people and what kind of 
software lifecycle you have," said Davidson.

Poor understanding of security and sloppy coding practises can also play 
a part in creating vulnerabilities but "part of it needs to be that 
products know how to protect themselves, they know what to expect", she 
said.

Developers should create software for a specific purpose and not try 
account for every future possibility, according to Davisdon.

"Developers are very creative and often think about usages way in the 
future ... but by allowing every possible future they are also allow a 
lot more attack vectors," she said.


Databases are the "Holy Grail" for hackers

Before introducing Davidson to the stage, the general manager of AusCERT 
Graham Ingram pointed out how important it was that database 
applications are not breached.

"The databases that you hold, with names, with addresses and in some 
cases with credit card details, are a very rich target for the people 
who want to obtain that information in their attacks.

"We cannot leave behind the thinking that the databases and the database 
applications are, in many cases, the Holy Grail for the attackers," said 
Ingram.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 23 2007 - 23:15:13 PDT