Skip Links

Oracle mending fences with security researchers

By , IDG News Service
May 26, 2006 05:46 PM ET

IDG News Service - Oracle once marketed its database as "unbreakable," but security researcher David Litchfield has a lesser opinion of the software.

"God forbid that any of our critical national infrastructure runs on this product," he said recently on the widely read Bugtraq security mailing list. "Oops it does."

Security researchers like Litchfield, managing director of Next Generation Security Software, in Sutton, England, make their living finding flaws in other people's software. And while this can put them at odds with software makers, the relationship between Oracle and people like Litchfield has been particularly bad.

In Litchfield's case, the problems go back to 2004, when he published details of an unpatched Oracle vulnerability in a presentation written for the Black Hat security conference. By Litchfield's account, Oracle had given him the go-ahead to discuss the vulnerability, but changed its mind at the last minute. Litchfield changed the topic of his presentation, but he was unable to remove his slides from the conference hand-out.

The next day, the Wall Street Journal wrote about the flaws and, ever since, the relationship between Oracle and the tight network of security researchers who hack its products has been tense.

This antagonism has prevented Oracle from receiving the independent testing and security advice that would have improved its products, said Cesar Cerrudo, CEO of security research firm Argeniss in Parana, Argentina. "Oracle has ignored researchers and also attacked them, saying that researchers are the problem," he said. "The problem is Oracle's flawed software and Oracle's amateur handling of security related issues."

From Oracle's perspective, researchers like Litchfield profit from the publicity they get for exposing Oracle's security flaws, but that exposure comes at a price: more risk for Oracle's customers.

There is often little upside to cooperating with companies that do not understand Oracle and who profit from publishing security vulnerabilities, according to Oracle Chief Security Officer Mary Ann Davidson.

"What I really want is a world where there can be fair and accurate criticisms," she said. "I'm all for dialogue, but you have to establish trust."

In the past few months, however, there have been a few signs that things may be changing at the Redwood Shores, Calif., company.

Oracle is becoming better at communicating with the research community, says Darius Wiles, manager of Oracle Security Alerts. Wiles' team is now working out a new bug system, which will let bug reporters outside of the company know they are not being ignored. "Once a month, going forward, we'll provide them with a list of everything that has not yet been fixed and indicate whether it's still under investigation or whether it's been fixed."

Taking a cue from Microsoft, Oracle has even launched its own Oracle Security Blog.

And Oracle no longer talks about its products as unbreakable. Earlier this week, Davidson said that the first time she heard the marketing slogan, she thought, "What idiot dreamed this up?"

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News