[Full-disclosure] RE: Oracle - the last word

This has always been the problem with Oracle especially from the top
down, "arrogance"


-----Original Message-----
From: David Litchfield [mailto:davidl@xxxxxxxxxxxxxxx]
Sent: Tuesday, May 09, 2006 10:34 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx;
dbsec@xxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx
Subject: Oracle - the last word

A few people have asked me recently what it is I'm actually looking for
from Oracle. I have a nice little laundry list of things, of course, but
mostly all I've been waiting for is to hear Oracle to say, "We admit we
have a problem with regards to security, but here's our strategy and
we're going to make it better." In that simple admission would lie the
cessation of my criticism of Oracle. But, let's face it, it's not a
simple admission in reality. As a business, Oracle can't say, "Oops.
We've been mistaken all these years - turns out our database isn't a
secure as we actually thought."
A company like Microsoft can, and indeed did, something just like that
but their business was never built on what was supposed to be a
reputation for and a foundation of security. It would be business
suicide for Oracle to do this.

After much rumination, the obvious struck me: Oracle could make their
product more secure (and improve the behind-the-scenes processes that
enable them to deliver a secure product) and all the while admit to
nothing. Whilst I've been throwing tantrums at their failure to admit to
the truth, Oracle has been working on doing this. It almost passed me
by. They're not there yet but they are getting closer. Let me put that
in concrete terms: When Oracle 10g Release 1 was released you could
spend a day looking for bugs and find thirty. When 10g Release 2 was
released I had to spend two weeks looking to find the same number.

Soon, and I have no time frame in mind for "soon", Oracle will have
"arrived" at a point where sitting down and finding a single bug will
take a month - and not once would they have had to admit to having
problems with security. They'll have solved it. Their tools will be
tight and their processes slick. They'll almost be Unbreakable.

I'm sure the strategists at Oracle must have realized this - for an
organization such as Oracle it's really the only reasonable option
available. Okay, it's not the open strategy that I'd have preferred but,
in the end, the journey of how they got/get there, to a secure robust
product, is irrelevant.

Another thing that struck me was the amount of effort and time that it
must have taken to get a lumbering stegosaurus of a beast like Oracle to
turn around. I can only assume that, as CSO, Mary Ann must credited with
that, and as such, I revise my position on her. Dare I say it, well
done, Mary.

I realize now that this is how it's going to be - I'm not going to get
my much sought after admission but at least we get a better, more secure
product we can be more confident in. Besides, I weary of "Oracle
and I've no doubt that I've wearied many here on these list over the
years, too. NGS will, of course, continue to research and find Oracle
security flaws, report them and help Oracle to fix them but, from now
on, I'll leave the proselytizing to others. Oracle have moved
sufficiently forward enough, and with enough momentum (now), that I
believe they've passed the point of no return and can do nothing but
eventually end up where we all want them to be.


David Litchfield

NGSSoftware Ltd


+44(0) 208 401 0070

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DB
    ... Get your security news from a reliable source. ... Injection Vulnerabilities in DBMS_METADATA Package, ... vulnerabilities have been discovered in Oracle. ... Oracle, you think you are secure because you are up to date with patches, ...
  • Re: Flat text based security issue
    ... I assume you want a more secure way of storing the logon credentials: ... > I have a third party site built for my company. ... > the Oracle connectivity. ... > Password for our production Oracle server. ...
  • Re: how to secure adp project?
    ... You can only have database password "security" on an adp/e. ... secured by the security settings on the RDBMS (SQL Server, Oracle, ... Sybase, etc.) you are using. ... > anyone know how can i secure / compile or make it secure just like mdb ...
  • Re: Is an Access 2007 db Secure enough for a Corporate server?
    ... File Server, you've got something set up wrong. ... Windows Security does not give you record-level security. ... not use Windows Security, and is not secure. ... or Oracle, but only if you already use those systems) with Access. ...
  • Securing 3rd party connections to Oracle DBs?
    ... We are currently looking at ways to allow our clients to securely ... SQLnet port, IDP, hardened Oracle installs - but from an application ... stage for example and only dev should be accessed via the db link). ... If anyone has any docs or thoughts on how to better secure the 3rd ...