Pete Finnigan's Oracle Security Weblog

I made a note a few days ago when i saw the link to Mary Ann Davidsons (Oracle's security chief) interview with Justin at Open World had been posted to mention it here.

The interview was done in the OTN lounge at Open World and covered some interesting topics ranging from bug fixing and Oracles attitude and stance with Oracle security researchers; then to single fixes, CPU's and even how long it really takes to fix a security bug properly and release a reliable patch.

Someone also asked about Oracles attitudes towards different factions of researchers. The discussion then moved onto federated security and identity management with Mary Ann making a good point about gun owners and credit histories not mixing. She then discussed web security and glueing web components together and that anyone who expects this sort of arrangement to be secure is not realistic.

Someone asked about Oracle source code being found on the web and Mary Ann discussed an ongoing project in this area. Doug asked about the fact that some customers are still not applying CPU's and Mary Ann's comments were excellent in this area. Mirroring my impressions of last time i heard her speak. She is pragmattic and realistic about commercial awareness and security and how they mix with risk; this was really good to hear from someone so senior; no waffle just reallity, i like that!

Mary Ann then went on to talk at some length about legislation and laws and I found this part particularly interesting. I will state what my view is on this. Mary Ann said that the government (US, I guess) should legislate for software (she started likening software to cars and airbags and brakes etc) vendors at a high level to make three things available:

1) secure configuration guides should be easily available
2) make the software install itself to those guides if required
3) provide tools to monitor against those guides

This is very interesting as Oracle don't seem to comply with these totally, Oracle has a security standard that is basic when compared to the CIS Benchmark or the DoD standards - so the standards are there albeit not through Oracle. The software installation to this standard is not there. Even to Oracles own standard is not there (Oracle says remove PUBLIC execute on UTL_FILE for instance but doesnt install that state). Oracle do install open by default still (27,000 PUBLIC privileges in 11gR1 for instance).

Perhaps this is slightly unfair as there has been a lot of improvements in the default installation from a security perspective but not to the level of installing to a specific security standard. Finally the tools option, Oracle does not provide these tools, others do, the SRR scripts or the CIS Benchmark or SCUBA or commercial alternatives such as PFCLScan from us, Appdetective from AppSec....

Oracle will counter the tools argument and the previous statement on secure installs by default by sighting OEM/Database Manager with its security checks and also with Oracle configuration manager BUT this nicely brings in a final point; cost options. One thing that always causes gnashing of teeth and wailing with my clients is that fact that Oracle is known as a security company but most of the nice security features are either cost options (Oracle AS for instance, or OLS for instance) or included in the enterprise edition (maybe the client doesnt run EE). It would be really nice if as much security came as part of the solution at least for things like network encryption and strong authentication and of course secure default installations.

It was a really nice talk and it can be found here.