Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "IDG were scheduled to interview Oracle's CSO"] [Next entry: "Alex is to talk at ITUnderground Warsaw and DOAG Freiburg"]

Scarlet Pruitt's interview with Mary Ann Davidson is out



I just got an email from Scarlet to let me know that her interview with Mary Ann Davidson, Oracle's chief security officer has been published. I mentioned this interview in a recent post when I discussed the questions I had passed to Scarlet. My post was titled "IDG were scheduled to interview Oracle's CSO".

Scarlet's interview was made in London and she starts by telling us that Oracle are working to lower the number of security issues in their software and also that the number of attacks against data are increasing and also hackers are becoming more creative. The article is titled "Q&A: Oracle's security head talks from the trenches". In some ways the answers to questions are a little strange, Mary Ann talks about comparisons with military scenarios and also gives advice for customers to tell their vendors to make products easier to screw down out of the box and also to ask how the software is built, do the vendors use secure coding practices. This to me is strange as she is the CSO of Oracle, is she inviting Oracle customers to ask these questions of Oracle?

Mary Ann did not give a satisfactory answer as to why there are a lot of known security bugs still outstanding after long periods of time. Yes, I can see that some bugs need to be fixed for many platforms and also that its good practice to check for the same issue throughout the code base, but two years to fix security bugs classed as high risk? is this good practice?

I can see that the security of databases in general is getting tougher to resolve and the numbers of bugs are getting bigger so Mary Ann has a lot of work to control the tide. I like her thoughts on securing the database out of the box and getting customers to insist on security out of the box. This is a good plan, she is also right about fixing the configuration first as this is inevitably the easier way in for a hacker or malicious employee. This is what we did with the SANS book Oracle security step-by-step.

I can appreciate Mary Ann's problem space and this is a good interview, worth reading. Maybe my insight into Mary Ann's problem would be for Oracle to create two installer's one for developers and general users that is basically the same as the OUI is now and a second more useful installer for the security conscious customers that tied down all of the configurations that could make a database insecure. The problem space would then be reduced greatly to vulnerabilities and also to those configurations that could not be set for business reasons or those that had changed since installation. This would be a valuable extra for Oracle customers!