Oracle's CSO "No, You Really Can't" analyze their code

Last night Oracle’s CSO Mary Ann Davidson wrote a blog post that described a negative stance on external security research and bug bounties specifically.

The post was taken down sometime this morning but you can read the archive here.

I’ll particularly highlight the Bug Bounty section:

Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!

A. Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Bugcrowd’s CEO, @caseyjohnellis, posted his response on the Bugcrowd blog. Read his full post here.

Let me also say: The security research community, both friendly and adversarial, doesn’t have a concept of “No, You Really Can’t” – The title of Mary Ann Davidson’s post. They challenge assumptions and find out how things actually work, as opposed to how they are supposed to work.This feature is precisely what makes the good guys valuable, and the bad guys particularly scary.

What are your thoughts on Mary’s post? How do you think Oracle could better handle their approach to security testing by customers and external consultants?

The tl;dr is “this is too hard to manage, everyone just cut it out and trust us to find and fix the vulnerabilities”. This seems consistent with Oracle’s interaction with security researchers in the past - Does anyone in here have experience they can share (or “have a friend” with an experience they can share)?

If the company can’t manage their own executives, what does that say about the way they manage their products? I find her tirade to be equal parts bat-shit crazy and insightful. She makes some awesome points about threat landscape. If you aren’t doing the basics – you need not be worried about 0days – your attacker will never have to get that far. Unfortunately she went from there to “WTF” in about 30 parasecs and never looked back.
This is one of those watershed moments that prompts people to do the “month of Oracle” type stunts and drag out all the skeletons lurking in the old scott/tiger closets. Considering the breadth and depth that Oracle has lodged itself in our state, local and federal govt ( at one point Larry Ellison sold the State of California the equivalent of 1 Oracle license per person in the state. (http://www.crn.com/news/channel-programs/18819577/oracle-on-defensive-over-california-contract-controversy.htm) – that kind of exposure is scary from the overall collateral damage. Thats just on the Database side – lets not even begin to talk about all the things Sun was into. Beyond Java…

I have known MAD for a long time now. She is a great, opinionated individual. I laugh when individuals call her ignorant. Apparently they have little clue into her academic, military, and industry-related work. What I see happening is her rant screwed up her message. I didn’t get the pornography portion. I would be curious to see Oracle’s General Counsel interpretation of “reverse engineering”, TOS / Licensing Agreements, and how it applies to finding vulnerabilities.

I rarely use those as hallmarks of a persons understanding of technology, how it works or even at the least security. Since I don’t know her – I can only go by what she has presented, and what is presented paints a bleak picture of a person who is at the helm of one of the largest Database vendors in the US, as well as the company that owns the rights to Java™ which to this day (thanks to the Android OS) is still a thing…

1 Like

There’s a guy on bugtraq who spent a lot of time on Oracle bugs who actually went through and analyzed her statistic of “3%”… which seems way off:

http://www.securityfocus.com/archive/1/536221

In any case, whatever her professional qualifications and whatever message she originally intended to put across, it didn’t go down very well.