Page 2

By Lisa Vaas  |  Posted 2006-01-12 Print this article Print

Oracle does have a lot of resources, but vetting 252 reported vulnerabilities isnt where its people want to devote them. As it is, the automated code assessment tools Oracle uses tend to turn up false positives, John Heimann, director of Oracles security program management, told eWEEK. "These tools can help you find potential issues," he said. "But not everything found by the tools is necessarily a security bug. … Automated tools arent necessarily a substitute for human thought."
And in the hands of Oracle customers, such tools can result in a stack of vulnerabilities, plunked down in front of Oracle reps, who then have to pore through them and explain away false positives.
Thomas Kristensen, chief technology officer for the bug-monitoring company Secunia, is recognized as an impartial voice who has to deal with both vendors and security researchers. But he comes down on the side of Kornbrust when it comes to who should devote their resources to research vulnerabilities. "One can always argue that its the security researcher that should do all the work of verifying and assessing vulnerability of flaws found," he said. "But you can also say its the vendors job to find out if its as dangerous as [the researcher] thinks. … Its difficult to assess who should do what. But in the end, the one receiving money from the customer is the vendor. You can say researchers are doing a lot of work on behalf of the vendor for its customers." Still, Kristensen said, its important for researchers to at least prove the concept to a certain point, to explain to the vendor what the issues are and to explain criticality to some extent. "But the full extent of the vulnerability, you cant expect security researchers to go in and do all the work to do that," he said. "Its the vendors responsibility to do that." More on companies minds, however, are two things: the time between flaw discovery and patch issuance, and patch quality. Oracle claimed that virtually all the issues Kornbrust discovered have already been fixed in the latest Oracle database release, 10gR2. It also said that fixes for all legitimate vulnerabilities affecting older versions will be released to customers in CPUs. The problem with that, Kornbrust said, is that many bugs are still unfixed in 10gR1. Thats backward priorities, he said, given that most customers havent yet upgraded to R2. "At the moment, most 10g customers are using R1 as a production database and not R2," he said. "There is no advantage for most customers that the bugs are already fixed in a newer, not used version." One blogger on Information Security News Desk—run by members of the security community—put it this way: "[Oracle Chief Security Officer Mary Ann Davidson is] right that fixes to even simple vulnerabilities still have to go through a full test and release cycle, but shes being disingenuous in claiming that Oracle has been responding in a timely manner to the notifications theyve received. They havent (and this is not new behavior)." Next Page: A lot of code to test.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel