Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
From: David Litchfield (davidl_at_ngssoftware.com)
To: "Gadi Evron" <firstname.lastname@example.org> Date: Fri, 7 Oct 2005 19:04:10 +0100
Not wanting to get embroiled in a debate about this (but failing ;)
>> Having worked closely with the security teams of most large commercial
>> vendors (IBM, Oracle, Microsoft, Apple, HP, Adobe, Real) I can quite
>> honestly say that, of all of them, Oracle is the only company to still
>> treat security in this way. Most other organizations "got it" years ago
>> and while there could be improvements made in various areas the most
>> improvement could be made at Oracle.
> Not many of them "got it". Some are simply worse.
This is not my experience. Certainly for all the bugs I have found the
patches released by all vendors save Oracle have fixed the problem. You call
me out on "where's my evidence?" I ask the same of you - where's your
evidence that this is not the case and that there are other big vendors that
>> Firstly, it's due to the facts that I posted as I did. It is fact that
>> the patch for Alert 68 fails to properly fix a large number of holes it
>> was touted to fix. It is fact that a large number of companies that spent
>> a great deal of money installing the patch have wasted their time. It is
>> fact that Oracle database servers are still vulnerable to security holes
>> that were reported to Oracle years ago.
> Amazing statistics. Where are statistics on others?
What are you looking for stats on? Failed fixes? Time of bug report to time
of patch? It might actually make an interesting read. I'll put something
like this together over the coming few days and post my findings. In the
meantime, please accept my assurances that Oracle is on the bottom.
>> Because enough is enough.
> For security people maybe.. using Oracle for most business is a Business
Whilst you are of course right that for most people Oracle is a business
concern what we also have to remember is that business is _all_ about risk
and managing that risk. Do I risk investing in a new product line? What's
the cost; what's the potential gain? What if it goes wrong? Adding more
risk, due to insecure software, is best avoided; especially with software
that's responsible for protecting the organization's crown jewels.
>> Because they seem to be the only ones that don't get it.
> This is the place where you lost me, I am sorry. The only ones?
In my experience, yes. If you've got something to the contrary then please
> It's not that I disagree with their behavior being questionable, I
> honestly believe a survey of how all vendors do where the s**t floats to
> the top without singling out the Bad but rather the Good, would work
I'll definitely put together the stats.
> This kind of attack may be "called for" but definitely will make Oracle
> less than willing to ever work with *you* or trust the community,
Sorry - but wasn't this one of the main reasons there was such a thing as
disclosure? As a means to get the vendors to treat security properly? Btw,
Oracle don't and never had trusted the "community" in the first place.
> plus it will immediately become a PR issue where they may chose to go on
> lawyer-PR strategies rather than "how do we make sure this never happens
> again by getting off that list".
> It simply looks like a rant, which is a shame.
On some levels it was a rant. Does that devalue the information? Not in my
> Regardless, like I said, you better have a good plan on protecting
> yourself from liability. Right now, right or wrong, it appears like a
> personal attack from you. So, even if the entire community is behind you,
> most of the community won't help foot the legal bill.
I stand by my comments. They are based on fact. And, if it ever comes to it,
I would never want the "community" to help foot any legal bill.