The Security Grinch is Alive and Well At Oracle
Mary Ann David, Oracle’s CSO is tired of customers performing their own security tests on Oracle software, and she not going to take it anymore. After all it is Oracle’s job to set the security standards and thresholds for each and every one of their customers! This public rant took place on an official Oracle Blog as well her own personal blog. Mary Ann went on to proclaim the egregiousness of this “violation of the Oracle license agreement”. In fact she adamantly emphasized to every reader that both the security vendor who performed the security scan and the violating Oracle customer would both receive letters of admonishment and be put on notice to cease and desist.
To quote Mary Ann If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we will send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision that states: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.”
An absurd story, of course! An exemplary example of how not to treat customers, even when they may have technically violated a nuance of their agreements, of course! Even Oracle Corporation thought so. Oracle has already removed Mary Ann’s post from the corporate blog. A complete copy of her post is preserved on seclist.org
What Rock Does Security Grinch Live Under?
What rock does Mary Ann Davidson, Oracle CSO live under? Has she not read an online news article, or for those of us born before the internet a newspaper of late? On July 9th OPM Announces More Than 21 Million Affected by Second Data Breach. John Kerry the U.S. Secretary of State was quoted on August 12, 2015 in Time Magazine as stating It’s ‘Very Likely’ Russia and China Reads His Email”. It is clear that even with all the resources at the disposal of the U.S. Government, even they are having trouble keeping ahead of the cyber terrorist barrage.
In Mary Ann’s World she is saying there is no need to check the software you received from oracle and that a potential act of independence by an Oracle customer was more worthy of her blogging time than the potential disastrous security hole that was apparently uncovered. To use her own words “customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,”
I have to tell you that comparing notes at a conference does not give me the warm of fuzzy feeling that all is ok. At the next conference that I go to I will suggest that Oracle hire these “reverse engineering” security crack seeking, good guy hacker perpetrators! And give them a very big signing bonus!
In fact, Mary Ann readily admits that that the internal process oracle currently uses is inadequate. “I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.
Mary Ann also stated “That said, no tool finds everything. No two tools find everything. We don’t claim to find everything.”
Oracle Should Embrace It’s Customer Efforts
Instead of using strong-arm tactics to prevent customers from discovering security flaws in the Oracle software Oracle should embrace the process and work with the customers to make the product even more secure, which is in everyone’s best interest. It is an indisputable fact that Oracle builds world-class software. Over the years Oracle has embraced an aggressive culture that is now part of the corporate DNA. Numerous articles have been written on this.
July 2012 (CIO.com)
Oracle Shows What Happens When Sales Runs the Show
Nov 2014 (computerweekly.com)
Users warned over ‘aggressive’ Oracle software licensing tactics
July 2015 (Fortune.com)
Oracle reportedly wields audits, license disputes to push cloud agenda
July 2015 (BusinessInsider)
Oracle is using ‘the nuclear option’ to sell its cloud software
Oracle has a lot to learn from Microsoft who has learned to embrace customer help when it comes to identifying security holes in the many products Microsoft produces. .
Larges Companies Can Embrace World Class Customer Service
There are many very large companies that embrace world-class customer service and make that approach part of their corporate DNA. These are companies that are open to developing partnerships with their customers as opposed to bullying them. USAA insurance and Costco are two that come right to mind when I think about world-class customer service. Both of these companies have industry leading Net Promoter Scores (NPS).
NPS is a way companies can measure customer satisfaction. It’s also a way for you to determine if a particular company is inclined to partner with you and work hard to insure you have the best customer satisfaction story experience possible. Look to work with companies that embrace world-class customer service as part of their DNA. NPS is an excellent gauge of how much customers embrace world class customer service as part of their DNA.
Oracle needs to adjust its aggressive business practices. , Mary Ann David, or Oracle’s next CSO must change her attitude. Comments such as being tired of customers performing their own security tests on Oracle software, and refusing take it anymore must become a mindset of the past. This is indicative of a corporation who has a developed a corporate DNA that is more likely to bully you than partner with you. If we don’t service our customers, make no mistake the competition will. As more and more applications are developed in the cloud, its becoming easier for people to take their business elsewhere. New product every day like Unified Cloud are making it harder and harder for vendors to lock you in.
Special Thanks to Don Sullivan my co-columnist on the Big Data Quarterly for helping with this blog article.