Database - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Database


Oracle Security Chief: Put Bugs in the Hands of Developers



 By: eWEEK
2006-01-12
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Database story.


  Table of Contents:
  1. Oracle Security Chief: Put Bugs in the Hands of Developers
  2. ' A Hybrid Approach '
  3. ' Secure by Default '

Rate This Article:
Poor Best
Oracle Security Chief: Put Bugs in the Hands of Developers
( Page 1 of 3 )

Q&A: While some charge that Oracle puts the fox in charge of the hen house by giving developers too much say, Oracle views it as part and parcel of an educational effort. Oracle security chief Mary Ann Davidson discusses this and other security goiAs Oracle Corp. grapples with its patch quality and speed, some in the security community have compared it unfavorably to Microsoft Corp. Oracle security execs say this is an apples-to-oranges comparison, given the vast differences between patching the complex server software Oracle produces and the client technologies that makes up much of Microsofts security focus.

Still, Microsoft has managed to turn around its reputation as a large bug target with poor attention to secure code, in part by pulling together a centralized security organization, MSRC (Microsoft Security Response Center).

In contrast, Oracle has chosen to route security issues back to the appropriate product group and developer in an effort to create an ownership mentality toward code flaws.

While some charge that Oracle thereby puts the fox in charge of the hen house by giving developers too much say in whether their own code is buggy, Oracle views it as part and parcel of an educational effort that reaches anybody and everybody whose fingers are in the product pie.

eWEEK News Editor/Operations Lisa Vaas had a chance to chat with Oracle Chief Security Officer Mary Ann Davidson about this and other security matters while on a trip to the heart of Oracles security setup in Redwood Shores.

Could you explain why a decentralized security approach makes sense for Oracle?

Resource Library:
Theres a couple of practical reasons. The reason we have a security bug fixing team is not to fix the issues. Its to be an analytical process. (Its to analyze things like) "How do we have processes and systems to track issues? How do we make sure were prioritizing them so the worst ones are fixed first?"

How does this work on a practical level?

We have a group in the database team called DDR (Diagnostic and Defect Resolution). Normally they do a log of regular bug fixes. If a fault is reported, it gets processed and tracked by the group whose job it is to fix bugs.

Thats a centralized approach, though. When and why did you move the bugs back to the developers?

We did security bugs that way awhile, but eventually decided to move it back to developers who did the code for a few reasons.

The main one is you want people to make fewer mistakes. One way to do that is make sure they know what they did wrong the first time.

The second reason is accountability. You want to foster the idea that you need to understand how this defect got in there, how it was exploited. You want to see how a hacker got in there and how it was exploited.

Do you think this type of security structure will work better with Oracles growth-via-acquisition?

A small team will never scale. A lot of companies talk about having a culture of security. Thats the main thing you need, otherwise youll never have enough of people that you need.

Some things must make sense to centralize, though. Im thinking of encryption and such.

Policies, training, those things make sense to centralize. Instead of every developer having to run all the pages of secure coding themselves, we developed a Web-based training class we rolled out against the product stack. All you have to do is fire up your browser and take the class.

Similarly, when we make acquisitions, one thing we do is talk to the security weenies from the acquired companies. We say, Theres stuff we do to engineer security into our products, but youre probably doing some of the same things.

If youre doing something, if youve got something in your bag of tracks, we say, "Hey, lets incorporate that, so we dont have one PeopleSoft security way, and one JD Edwards security way, and one Siebel security way."

Does that mean s we might be in different phases of doing stuff across the company? Yes, but we have one goal, not this guy doing it his way and some gal doing it her way.

Other things to make centralized are the technical aspects of security knowledge like encryption. So we have, as part of our cooking standards, are you using Oracle licensed encryption routing? Weve already licensed, vetted, and probably have fixed (whatever theyd have applied it to).

Next Page: A hybrid approach?





  Reader Comments: Oracle Security Chief: Put Bugs in the Hands of Developers
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Database Articles          >>> More By eWEEK
 


x}r8s;iW1EnvI%5eYKU-EB!)rbbq3 -R]}\QD 7$Iȅ=!]ǘ[cSݣw&$5~]4i= ɑԫ 9S]MHwW3fөP/?`᳑(,Q  tjOt0]2d;s6!esM/cߨ`&`1\m8lTl@!j:a?XX$1qD ñh] \(>߱L㘄-:;|w*UFN83pyf_žB%h!1Qus_ad^x/4*;U;a-r[hP;Uyah -\r."Lռ[@ *YNrDƞ4HCKh;Fýȱ}:|p x09ry J5jfL yf_%z0ww ^_adm+1UJE R.dz$_S::Y'NtjQ2ZN-kEKXOR ])1N,R!t'lji_Wם~ ڧ'םwbٚXC J@e$vFLEYsYڟ;>g:Qڟm3Hklxmķx0|`kh2`;;RZIJ=OULxE$Y)rk"8t/!O}fr2GrI/o"$cM|`Ah6 2Xc]vЎRlJVmT3o`H2 f4.ͻzp- @lo Kj(:H)5?&F`Mil&XJp7Q $%/^P%P샚_΢[2jFTwPH7CD r2#~B(PHQ>z%Kes7p@WMCrjNTʊ0Wr{熷H <Ǟ4vz~68^%glh|X.B2iK1.PWG5MGRŦcWJPz|/jJG-dj`qaeBݠcmnywσ@uti3c|>9Gm'!|e mx=Z.s3IXn`΀&Hqpy4ڭ-%H_ >< zNJ$ >6Zχ`j˦MfB9{ǻergm͠~(wMnHi>X^0{@`^@Z8`88ʼE ]qksB7}`4F&QcSB\jÐx?k1 %@X mAt"BђF 4  gsX"C"'' [AX;k a+ä\*1=Ri ! g Rtvn K){TKh+K@f:34YIJM힟u]_ ȉ#m"09X -gZ X%ּ aXUk*|:IoB{<6u0 uUM MXb HK%\EwT-::ޟx=Fn;A뎒:\VM+}t>xFXvG7nLSS \ eBC`9sM/Xg5׵Lj TF`ߒ^86h{Ͱ&PoTM?>{BL\naDP$W:ϧHږiE-ȇRoBo+څP!_.dI_fMblȌu>I!VB17OH wf@nmHݤ|r:#wBS518 FLqG)'SgFFJ V zh'Nѫ>Ug plTo-V,~%fsP*oWuR@_F&ۊx A-ژ WZڄ"JMP>L2Cɣ($mU2LkInQx{8dO1k}0)\TBȄeê%VbګY3ld xAq!r?-j(6 3XSq;hzE>wI{Lcg@>`ǟG(a!w1ZJkX$ U*=̔:Y[ ^|@'K |o2tJ.k1sM^^.V꺰']69g&A(|p$'Z>plZ`/R7&4wڳJ 1SQ_.~D[d"vd\6˰@e9ִ&3v,˹F z4f/Ht]i)%5y(p?CU^of"JXVblxcC-+Jr|T*oV (9)3Ku)*|m1DwA~M4/})ԆL}6݁ /r-,|rqZELYO`s!AvЎ@'OeZTJb!<,`.Q8)Uf!ߛyx 䂲d3 ]lW 19L_߀S)j }0Gd٤S<ё1[DG {@nՂ( 5zfy@Lt@qHGؽL HMҜNyT>äԊkt)D ^@z]-3b_@וBV-*5"X+CbRTh^{p jN&jFB-89k*O_ Fb&T~\yYRglס3i21󓫻玾Z+U c ׃n>۹+am6~&zi1bZ`7=3#[4OQk*X9 2O3(~ (zC>ku AL>q\TS<Q}(Z7MaXQJ7 \ZE/ha~%36R-ܛ`,@N|KO]kEl`\ASf<^ΈےCtK37~ 6F˔[ā0W4$NcVpDMc? h)k4CoeE tZb()gI= g?amy`:JU4qy27(kM_L7 xGʟ?9?qwP3@|R'9w>ʇz]*{_ 1i0F\0rX>({HE~W9ـo9 |\.T r2RDBRNBq<:N+4CN\a+Tn\&G7F@"'! M+53,`jbUܘ㏌&м~>A'&O!(0H_dpm;dU]uv>g +f[I.+uM58?"Emc.Y۹rG ЫH~x :#:(cr|8Dij}Jx-}U\8"c{.[RGY^ٷgP K Rcbwmɾ3z~jZ56|v> 72SH4|7Nys)}ڻ]zsٖ zW's=B nTH͋·#F_!zN/fS L k;d8) hdJm\8$]w ST8 uÀ@Hc]לX0z)ӱB3ZMUe | ʢO4dkwD /gNyZz7~Q/,dk.}?I/K턟isPZdLg!I +W{7}Ȝ9%/r{d,'Qd1.P2QtI Js[g̞x~K7跷bR8C?gw.z@r@pSx6{Zg%QJ=qM@kjir\"~^YZ䑼DqD%t`5o14L,*zj6;l-3hL ;yor?0G Ofx՛R\P`-ݺܭ1J "i#ĠHߙSsEs _5 4:as*|"ZyVa'8\y5ߊ:"YcCƓd۲cz sf2i TgeT7/__B !C9h3[a@)w#OƥG/>qlĨ`jox?F'sgfdQ%3RT+_|X`ˤ~[bO/^~\Aw|0ƛbqJ )b`.C O}S~=h =V[,\xbԙ@ĚQ&)cGY6Slzsfo̴5Ϸ;<قɝԱǞ:`BYjr veUosˉYNXv4B_~.k>9;g#V?gYEZ_p'~-0%yX;KCb*Zۢ?xv T\Ep,"`S0X‚{5RHH؉\@4nK./%0 2O`qnau#u_R G[ Lb ` D@m&:Ż0n@jz_4#vx-+ >(bfӥqaŘ?S<'f@x{OcY$# 0!i<ůˋcm9TCDz /dHhcBX\p`ɕS'sG oMw?gX9Qx[mmFFTްaAA?ﺙ\7#*|m::Mn0xo_S}㜳E^Dz2m(S)d;⢱ ]ja:pu pfW h.wy/yΰRzPKxJܱkP]S~#KeJ5է븚e!wQ}K\A7{7/㾾#ŷzn7u\ @ycmԃ QRQ=6۬7oوtGk3")A5[of6௺eula}:'^ժ/{*qdyΜ;mV)j;1eLC9[y4S2Ć8ZAOޅœ\:=_}Ǽ'\&9E ~Z3p^"R8}k#ɗy0\ '{_>RT`bVd=-D?\<@! ˜/4sؖ# P^pũ߳yxȩ]A2݀WWZWqi3-sOk.ьJC gĭA2@,~X PAft~D)Fd?^יY?`$`n3λyk\9qs1*ga)(_?E7ǽNSPIG\y| H%@Mstx+;wķ$kQē{ͮQqOc臵rAk)G>?E@:^oƑ-~Exu{@RCVB(lV Fݽ8hXdCy~5>8~܋.P"A1Rhs05̈Gbv mz^CzJ;7(6.W@O[jkhDP"ͪNDnpdi:?| >In*Ht%oNIu 8M/ky7ETnp=jh DfԤHdm^X)ϱZ,rzw(k1{ZLj+0/ (ZU,%=A3"V29C(c~BMFh_𾹹fFLma`t.t~?]_:@ffp͒w\j:rtT b:M4?}Ǯ%nKM qsB4_ DL wˈ_`!bޅR)'I]-au]+J)q<>˞A~guE;q HD+^@03%bk`frL5v<ͫ/wM&O'ՠӻ$' ¶-r5eZ_N{W_: 83=|j5ۼ6/ v(P]6mf)NL{=\H^Eƒ"^ûHKvE3@cqy^ /ً'a~\<)Qe;̋ QW~0@7[vfc+t_?gg:^2SM-G}*5}V0ෛ.৛.1.g7>@ Dg(Q~ewQ{1?s w1=/=? ː/W@Wq_e sA?}?c}?cA \ S}}Y0 (*ɠh& K:ICP.Ndr z)A^d_~*%YFy 3Y+F/^˰sk=ce_?ˀ/qsuk%R+ ]Q%=Lk[I2}Wc|u(X2M*#(78%Y}M#htoĶ.b!Iy=0?%Mu{2پWߕ\~Sne+tVq&R<#s"qDZJ91baOd_U-(s#h60 .Ñp[{剹?|k2xwi0<@ ۓ{ opmঠϻH-a0.: 7W]}.omG;yh#62f;w S췡\2GTk6:5LQ3[ %ÈC?8[@O箌##gHX&38M "7_δ-ؠGО#wӦB/u-&7:\>|#]MD|&߲jOG5 *AlZ`n#.V|sS [-FdXXEr xT|j[l'$}'r1>rNYFE`˫BOޕxI{mS?p[Rlc2 ?Lg=x-\ Z~nܸ|sVI$̸Oe~^6bRF5㣭A{@hd9Ck= S:aѡ(Y{XnDhG_3;-5kxg.$|,-Joē} tA6H_,T϶{3[;!5UkupɯAO^ۍveL2K5<٢L/Fx_nD6?E4D Oa\װnBaIgLiX ='fs(.>G%7!31Q)jkI/?H3軱Wx&%}YQ v|.yzcH#eUI;.~m%]*KxҍHqp/>~؆|%Og ϻH (tIg cS )1| j7;3mTeuMc0ŬBCh=)O?7'[nG\<>ciES,c< z@n0$ /JhoGoRz.+H|n4~Uf2{{:з57b(Q|Ӽ^4(NaeRb0yMvųFc ?dt;b[p?>PEg*R8WD K)YBAł?Qg;kMa pQ!*^x[9@xeѵh_yQ;Y?] m-1k8~m=au+Urcdk{f:ePeXl'ᠢ׀5V`92H_3(|9N]PnãÍGHƸ׬[[ qy6`;Щ1D\NvE9bꛦtE]khT[)*ʢS6M 9/ߵS3pݼ®,vyXF4gX3' cgb@xO=f_qxN|,Xu 2^;FB~ea'Zϼ:?ʂo/ QF$V/(ylHbK9m5'0X1'NRK&tf cJ\g'ۂ~ŕc˩.X)ZN~LʹcaPѽk xٚջU$¨C}3Ay,O>jA@`U\3|f7tZЮsq-MSga+ecPXVc.G\L*@=փ LW{څGQy6;|,݈bV"N$֊w