lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0a7b01c673da$25b59600$2201a8c0@ngssoftware.com>
Date: Wed May 10 03:33:51 2006
From: davidl at ngssoftware.com (David Litchfield)
Subject: Oracle - the last word

A few people have asked me recently what it is I'm actually looking for from 
Oracle. I have a nice little laundry list of things, of course, but mostly 
all I've been waiting for is to hear Oracle to say, "We admit we have a 
problem with regards to security, but here's our strategy and we're going to 
make it better." In that simple admission would lie the cessation of my 
criticism of Oracle. But, let's face it, it's not a simple admission in 
reality. As a business, Oracle can't say, "Oops. We've been mistaken all 
these years - turns out our database isn't a secure as we actually thought." 
A company like Microsoft can, and indeed did, something just like that but 
their business was never built on what was supposed to be a reputation for 
and a foundation of security. It would be business suicide for Oracle to do 
this.



After much rumination, the obvious struck me: Oracle could make their 
product more secure (and improve the behind-the-scenes processes that enable 
them to deliver a secure product) and all the while admit to nothing. Whilst 
I've been throwing tantrums at their failure to admit to the truth, Oracle 
has been working on doing this. It almost passed me by. They're not there 
yet but they are getting closer. Let me put that in concrete terms: When 
Oracle 10g Release 1 was released you could spend a day looking for bugs and 
find thirty. When 10g Release 2 was released I had to spend two weeks 
looking to find the same number.



Soon, and I have no time frame in mind for "soon", Oracle will have 
"arrived" at a point where sitting down and finding a single bug will take a 
month - and not once would they have had to admit to having problems with 
security. They'll have solved it. Their tools will be tight and their 
processes slick. They'll almost be Unbreakable.



I'm sure the strategists at Oracle must have realized this - for an 
organization such as Oracle it's really the only reasonable option 
available. Okay, it's not the open strategy that I'd have preferred but, in 
the end, the journey of how they got/get there, to a secure robust product, 
is irrelevant.



Another thing that struck me was the amount of effort and time that it must 
have taken to get a lumbering stegosaurus of a beast like Oracle to turn 
around. I can only assume that, as CSO, Mary Ann must credited with that, 
and as such, I revise my position on her. Dare I say it, well done, Mary.



I realize now that this is how it's going to be - I'm not going to get my 
much sought after admission but at least we get a better, more secure 
product we can be more confident in. Besides, I weary of "Oracle bashing" 
and I've no doubt that I've wearied many here on these list over the years, 
too. NGS will, of course, continue to research and find Oracle security 
flaws, report them and help Oracle to fix them but, from now on, I'll leave 
the proselytizing to others. Oracle have moved sufficiently forward enough, 
and with enough momentum (now), that I believe they've passed the point of 
no return and can do nothing but eventually end up where we all want them to 
be.



Cheers,

David Litchfield

NGSSoftware Ltd

http://www.ngssoftware.com/

+44(0) 208 401 0070



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ