[ISN] A Decade of Oracle Security

From: InfoSec News <alerts_at_private>
Date: Wed, 30 Jul 2008 00:17:21 -0500 (CDT)
http://attrition.org/security/rant/oracle01/

A Decade of Oracle Security
Mon Jul 28 13:57:15 EDT 2008
Jericho (Security Curmudgeon)

Oracle Corporation, one of the largest software companies in the world, has been
providing database software for 30 years. What began as a U.S. intelligence
agency funded relational database designed on a PDP-11 and never officially
released, later turned into perhaps the largest and most prevalent commercial
database used around the world. With global companies relying on Oracle
databases for information management, the need for database security is
critical. Despite that need, Oracle products have been plagued with all manners
of security vulnerabilities that demonstrate Oracle products were not designed
with security in mind. As new versions and new products are released, each is
found vulnerable to critical issues that allow for trivial denial of service and
complete database compromise.

The last decade of Oracle product security has been dismal. In the midst of CEO
Larry Ellison's promises that their database product was 'unbreakable' and CSO
Mary Ann Davidson's repeated claims that security is a core facet of their
software lifecycle, security researchers continue to find critical remote
vulnerabilities in a bulk of their products. The history provided here is to
help make Oracle customers aware of just how little security really matters to
Oracle Corporation.

It is past time for their customers to take the advice of Davidson and demand
better from vendors. It is time for Oracle customers to demand the appointment
of a Chief Security Officer that will stop the outright lies and spin-doctoring
and turn their attention to the security of future products. Read the executive
biography [1] of Mary Ann Davidson and determine if she is living up to her job
duties.

[1] http://www.oracle.com/corporate/pressroom/html/pressportal/mdavidson.html

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Tue Jul 29 2008 - 22:17:21 PDT

This archive was generated by hypermail 2.2.0 : Tue Jul 29 2008 - 22:31:37 PDT