In-brief: Oracle CSO Mary Ann Davidson’s screed against vulnerability researchers was a shock – unless you’ve been listening to what she and her employer have been saying for the last two decades.
In almost two decades on the job, Oracle’s Chief Security Officer Mary-Ann Davidson has earned a reputation for verbally shooting first and asking questions later. Its her schtick, so to speak. And, so far, it has worked out well for her – at least until this week, when Davidson arguably shot herself in the foot with a wildly off-key blog post (mirrored on Pastebin) in which she railed against the work of independent vulnerability researchers and third-party testing firms.
The blog post, which went up on Monday, was quickly taken down and then unabashedly disowned by Oracle. Edward Screven, the company’s Chief Corporate Architect, said in a statement to media that Davidson’s blog “does not reflect our beliefs or our relationships with our customers.” Oracle, he said, “has a robust programme (sp) of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure.”
That may be true, but nothing that Davidson wrote in her post was new – at least to those within the information security industry who are familiar with her and her opinions. Davidson has long been a staple at security conferences and is known as a contrarian on issues like independent vulnerability research, bug bounty programs and the like.
Indeed, despite Oracle’s official disavowal, the post on the company’s blog was vintage Mary Ann Davidson: cantankerous, confrontational and unapologetic. After nodding briefly in recognition to the anxiety that customers have about the security of their networks and critical applications in the face of nation-state actors, Davidson goes on to excoriate both customers and independent security experts who would even consider testing her employer’s software.
Customers, she notes, don’t have access to the raw source code for Oracle’s products so they can’t “see whether there is a control that prevents the attack the scanning tool is screaming about.” Even if they do find a security hole, customers can’t develop a patch for it – “only the vendor can do that.” So why bother, right?
Finally, Davidson reminds readers that doing static analysis on Oracle’s software is “almost certainly violating the license agreement.” No surprise: consultants and independent third-party testing firms incur most of Davidson’s wrath. She speaks derisively of the independent code auditor who “reverse engineers” Oracle’s code, creates “a big fat printout (and) drops it on the customer, who then sends it to us.” She also casts aspersions on the value of independent code audits, calling the output of both static and dynamic code analysis “not much more than a pile of steaming … FUD,” using the acronym for “fear, uncertainty and doubt” in place of the word s**t. Clever.
Davidson speaks admiringly of the high barriers that Oracle puts up to such sinful (her word, not mine) activity. “We require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).” Assuming they clear that high bar, Oracle responds with, in essence, a cease and desist letter. “Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so,” she brags.
And what does she offer in place of the work of independent researchers and customers? In essence, nothing. Customers should simply trust the tech industry’s equivalent of the old boys network: “large-ish vendors” who, by Davidson’s account “have fairly robust assurance programs now (we know this because we all compare notes at conferences).”
What’s wrong with this? Just about everything. Needless to say, assurances from jet setting CxOs that “all is well” with product security because they had a drive by conversation in the hallway at some conference doesn’t even pass the laugh test. As security experts in the fast-growing vulnerability discovery and application security testing fields noted in public statements yesterday, debates about “responsible disclosure” (as it used to be called) and whether independent experts are within their rights to look for security holes in widely used software went out of style along with the flip phone.
“Vendors need to be responsive to their customers’ valid requests for assurance, and to security researchers who are trying to make the software we all consume better,”said Chris Wysopal, the CTO of Veracode* in an e-mail statement. “Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.”
Casey Ellis, the CEO of the vulnerability marketplace Bugcrowd pointed out another obvious point: threatening well-meaning customers and contractors with lawsuits just clears the field for the cyber criminals.
“Cybercriminals and nation-state actors (who are the primary users of exploits in Oracle’s software) aren’t going to honor Mary Ann’s request, nor will they heed Oracle’s EULA,” wrote Ellis. “When the crowd contains the smartest folks around the table… the last thing you want to do is silence them.”
Clearly, Oracle is embarrassed by Davidson’s screed. But should it be? The bigger truth may be that Davidson and her long, long tenure at Oracle have only been possible because she and her views dovetail so well with that of the company and its longtime CEO, Larry Ellison.
In the early 2000s, when Oracle’s competitor, Microsoft, was reckoning with its CEO’s Trustworthy Computing memo and rebuilding its entire software development process to emphasize security, Ellison was firing off wild claims that his company’s software was “unhackable” and brow beating reporters who suggested otherwise. Sure, it was a boast that was proven false almost immediately, but Oracle has stuck with the “do as I say not as I do” line ever since.
Similarly, when the subject of working with independent vulnerability researchers has come up over the past two decades, Davidson has batted them away with aplomb, insisting that Oracle hires its own, internal “hackers” and has no need for the labor or ideas of outsiders. Today, Oracle is in the minority of “large-ish” software vendors in not offering bug bounties in some form for talented, independent researchers.
How’s that working? Well, Oracle published patches for 193 vulnerabilities in its most recent quarterly Critical Patch Update (CPU) release in July – that was more than a 90% increase in the number of vulnerabilities from the previous CPU. And, as the security firm Onapsis noted, more than 53% of those vulnerabilities affect business-critical applications, including the company’s Fusion Middleware, Hyperion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain Products Suite, PeopleSoft, Siebel CRM, Commerce Platform and Java SE.
Back in the day, setting up a bounty program or courting “hackers” (as Microsoft long has) may have been daunting for a button-down company like Oracle. But these days, there are plenty of companies that will do all that dirty work for you, including start-ups like hackerone, bugcrowd and bugbountyhq. All firms like Oracle have to do is open their minds (and their wallets). Oracle’s answer so far is still “no.”
Needless to say, when spies and criminals are looting homes and businesses all around you, screaming at your neighbors to “get off your lawn” probably isn’t helping you, nor is it addressing the big problem. Davidson’s blog post underscores how far her company has drifted from its peers and, frankly, common sense. Here’s hoping that Oracle starts to turn the ship around – with or without Davidson at the helm.
(*) Veracode has been a sponsor of The Security Ledger.