-Eye Could Be Shifting"> "The biggest thing Ive seen is that security moved from an ad hoc, piecemeal approachbug huntingto something well-defined thats part of an overall process," Webroots Leblanc said. "Its something a lot of companies need to emulate." Given the events of the last six years, security experts say that what once was unthinkable may someday come to pass: hackers turning their attention from Microsoft to easier pickings in the software of other companies.Researchers liken Oracle in 2005 to the Microsoft of 1999: a major software vendor with big ambitions, a huge, complicated product, a dearth of security expertise and an attitude problem. "I remember sitting down with our research guys one night with Oracle and we found about five different flaws right away, and then just gave up," Maiffret said. "It was like, whats the point." Vulnerabilities exist in all software, but Oracles response to eEyes reports is sending up red flags. "Its like Microsoft five years ago. The technical expertise isnt there. You tell them its a buffer overflow, and have to completely draw it out for them, or they try to argue that its not a [security] problem, its just a crash," he said. Litchfield of NGSS recently published an open letter on the Bugtraq security discussion list that excoriated Oracle for its slow and shoddy software patching procedures, which he said left the companys customers vulnerable to attack and gave them a false sense of security. Oracles October quarterly CPU (Critical Patch Update) addressed some of Litchfields earlier criticisms and does a better job of fixing security holes in the companys database software. For example, the latest CPU fixes not only reported holes in the companys products, but also similar holes in other areas of the code, Litchfield said. However, that change in practice only brings Oracle to the point where vendors such as Microsoft were three or four years ago. The story isnt much better at vendors like Apple Computer Inc. and Hewlett-Packard Co., not to mention the banks, retailers and other large corporations that write and use their own software, McGraw of Cigital said. "The biggest hurdle is that developers dont know diddly about security," McGraw said. Ironically, he said, the lack of knowledge and training about security is especially chronic among the older and more experienced developers who came of age before the Internet and application security were high priorities, and who are often project managers with oversight of major software development projects. "The more experienced they are the less they know and the less time they have to learn," McGraw said. Microsofts development process and procedures are unique, and uniquely suited to a mammoth software development shop. However, companies that want to make their software more secure will have to take many of the same steps as Microsoft to turn their ship around, McGraw said. "Youve got to train your [developers], build a knowledge base, do analysis on existing products and fix them," he said. Even more importantly, companies have to get buy-in from the highest levels of management to make security a top priority, as Gatess Trustworthy Computing memo did at Microsoft, McGraw said. "There were a lot of cynics who said that Microsoft is posturing, but the company has put its money where its mouth is and made slow, torturous progress," he said. Click here for reader response to this article. Check out eWEEK.coms for Microsoft and Windows news, views and analysis.
Database and enterprise software giant Oracle often comes up in discussions of other likely targets.