Oracle’s chief security officer, Mary Ann Davidson, has caused a bit of a furor in the independent security community by taking the stance that independent bug-hunting is, well, wrong.
“You would think that before [reverse-engineering code to find flaws], customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero-day vulnerabilities in the products they are using,” she said in her post, entitled “No, You Really Can’t.” Oracle has taken the post down amid the controversy, but a cached version can be found here.
Her basic point is this: That customers—and the independent security consultants that they pay—shouldn’t go a-bug-hunting, because vendors know best. At least, that’s the point she got to after inexplicably plugging the murder mysteries that she writes with her sister, using the nom-de-plume Maddi Davidson.
“Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool - there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products,” she said, with an undeniably bratty tone.
And in case anyone mistook that patronizing point, she added, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.”
She then said that she’s been very busy writing—and not just penning murder mysteries involving sushi (no, really, there’s one about sushi). She’s been writing cease and desist letters to researchers. “Letters that start with ‘hi, howzit, aloha’ but end with “please comply with your license agreement and stop reverse engineering our code, already,’” she said.
Ouch. So much for community-driven security approaches.
Predictably, that community has been in an uproar, deeming her post to be ill informed and off base-so it’s no surprise that Oracle took it down. The consensus seems to be that slapping license-violation suits on researchers is an attempt to turn back the progress made to improve software security. It should be noted, for instance, that other leaders in the industry – Google, Apple, Microsoft, Adobe – all encourage third-party code audits and bug bounty programs as a valuable extension of their own security processes. It should also be noted that Oracle—creator of Java—has had its fair share of zero-day issues as well.
“We now rely on software for everything - health, safety and wellbeing - and crafting a policy of ‘see something, say nothing’ puts us all at risk,” said Chris Wysopal, CTO and CISO at software security company Veracode, via email. “Application security is an enormous software supply chain issue for both enterprises and software vendors because we all rely on software provided by others. Vendors need to be responsive to their customers’ valid requests for assurance, and to security researchers who are trying to make the software we all consume better. “
And in case we forget what’s at stake, crowdsourced flaw-hunting company Bugcrowd CEO and co-founder Casey Ellis had, quite rightly in Slack’s mind, this to say: “Cybercriminals and nation-state actors (who are the primary users of exploits in Oracle's software) aren't going to honor Mary Ann's request, nor will they heed Oracle's EULA. When the crowd contains the smartest folks around the table (e.g. David Litchfield @dlitchfield - A notoriously excellent Oracle security researcher), the last thing you want to do is silence them.”