Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

From: David Litchfield (davidl_at_ngssoftware.com)
Date: 10/07/05

  • Next message: ak_at_red-database-security.com: "Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers"
    To: "Gadi Evron" <ge@linuxbox.org>
    Date: Fri, 7 Oct 2005 19:04:10 +0100
    
    

    Not wanting to get embroiled in a debate about this (but failing ;)

    >> Having worked closely with the security teams of most large commercial
    >> vendors (IBM, Oracle, Microsoft, Apple, HP, Adobe, Real) I can quite
    >> honestly say that, of all of them, Oracle is the only company to still
    >> treat security in this way. Most other organizations "got it" years ago
    >> and while there could be improvements made in various areas the most
    >> improvement could be made at Oracle.
    >
    > Not many of them "got it". Some are simply worse.

    This is not my experience. Certainly for all the bugs I have found the
    patches released by all vendors save Oracle have fixed the problem. You call
    me out on "where's my evidence?" I ask the same of you - where's your
    evidence that this is not the case and that there are other big vendors that
    are worse?

    >> Firstly, it's due to the facts that I posted as I did. It is fact that
    >> the patch for Alert 68 fails to properly fix a large number of holes it
    >> was touted to fix. It is fact that a large number of companies that spent
    >> a great deal of money installing the patch have wasted their time. It is
    >> fact that Oracle database servers are still vulnerable to security holes
    >> that were reported to Oracle years ago.
    >
    > Amazing statistics. Where are statistics on others?

    What are you looking for stats on? Failed fixes? Time of bug report to time
    of patch? It might actually make an interesting read. I'll put something
    like this together over the coming few days and post my findings. In the
    meantime, please accept my assurances that Oracle is on the bottom.

    >> Because enough is enough.
    >
    > For security people maybe.. using Oracle for most business is a Business
    > concern.

    Whilst you are of course right that for most people Oracle is a business
    concern what we also have to remember is that business is _all_ about risk
    and managing that risk. Do I risk investing in a new product line? What's
    the cost; what's the potential gain? What if it goes wrong? Adding more
    risk, due to insecure software, is best avoided; especially with software
    that's responsible for protecting the organization's crown jewels.

    >>
    >> Because they seem to be the only ones that don't get it.
    >
    > This is the place where you lost me, I am sorry. The only ones?
    >

    In my experience, yes. If you've got something to the contrary then please
    share.

    >
    > It's not that I disagree with their behavior being questionable, I
    > honestly believe a survey of how all vendors do where the s**t floats to
    > the top without singling out the Bad but rather the Good, would work
    > better.

    I'll definitely put together the stats.

    >
    > This kind of attack may be "called for" but definitely will make Oracle
    > less than willing to ever work with *you* or trust the community,

    Sorry - but wasn't this one of the main reasons there was such a thing as
    disclosure? As a means to get the vendors to treat security properly? Btw,
    Oracle don't and never had trusted the "community" in the first place.

    > plus it will immediately become a PR issue where they may chose to go on
    > lawyer-PR strategies rather than "how do we make sure this never happens
    > again by getting off that list".
    > It simply looks like a rant, which is a shame.

    On some levels it was a rant. Does that devalue the information? Not in my
    opinion.

    >
    > Regardless, like I said, you better have a good plan on protecting
    > yourself from liability. Right now, right or wrong, it appears like a
    > personal attack from you. So, even if the entire community is behind you,
    > most of the community won't help foot the legal bill.

    I stand by my comments. They are based on fact. And, if it ever comes to it,
    I would never want the "community" to help foot any legal bill.

    Cheers,
    David


  • Next message: ak_at_red-database-security.com: "Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers"

    Relevant Pages

    • Re: HP FUDBusting
      ... Vendors are businesses. ... Just wait long enough and your tree will get chopped down. ... what Oracle did with DEC's premier database Rdb! ... DeeDee, don't press that button! ...
      (comp.os.vms)
    • Re: HP FUDBusting
      ... Vendors are businesses. ... Just wait long enough and your tree will get chopped down. ... what Oracle did with DEC's premier database Rdb! ... DeeDee, don't press that button! ...
      (comp.unix.admin)
    • Re: HP FUDBusting
      ... Vendors are businesses. ... Just wait long enough and your tree will get chopped down. ... what Oracle did with DEC's premier database Rdb! ... DeeDee, don't press that button! ...
      (comp.unix.tru64)
    • Re: Problem when WIndows 2000 Server is rebooted
      ... Until IT shops demand that vendors stay current with supported Oracle ... Daniel A. Morgan ... Charles Whealton @ pleasedontspam.com ...
      (comp.databases.oracle.server)
    • Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility
      ... > honestly say that, of all of them, Oracle is the only company to still ... > It is fact that Oracle database servers are still vulnerable to security ... honestly believe a survey of how all vendors do where the s**t floats to ... even if the entire community is behind ...
      (Bugtraq)