I came across this interesting news article written by Grant Gross and published on ComputerWorld this evening. The title is "Security expert: More developer education needed - Many programmers don't understand how code errors cause vulnerabilities" - The article starts:
"AUGUST 11, 2005 (IDG NEWS SERVICE) - WASHINGTON -- Software vendors need to create security education programs for their programmers in order to deliver software products that are more secure to their customers, an Oracle Corp. security expert said today.
Developer education and pressure from large buyers such as the U.S. government are two key ingredients in better software security, said Adam Jacobs, Oracle's principal product manager, during a presentation at the InfraGard National Conference in Washington. "
This is a very interesting article for some of the comments. It says just after the above quotes that Jacobs agreed with a Microsoft spokesman that off the shelf software vendors ignore security in favour of ease of use issues at least until recently? Adam Jacobs also agreed that the numbers of security bugs are rising not going down, he goes on to suggest brilliant designs are made insecure by developers. He said that many developers do not understand buffer overflows and SQL Injection and that universities are not teaching much about these subjects and issues. A key insight into Oracles coding strategy is disclosed. Jacobs said developers are rewarded with bonuses for delivering buggy code on time and also for delivering fast code that later has many bugs in it.
He then goes on to say that Oracle have developed a one day internal security training program that all developers go on, he also said a lot of developers complained about the course, why?
He also talks about developers having responsibility for the code they produce. The article finishes with some interesting comments that Oracle isn't going to invest time in making secure products if competitors make cheaper products.
It sounds like an industry truce is needed for all database software vendors where they will all agree to have minimum coding standards for security. That way they can all compete on a level playing field and we can all get secure software.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Prime number researchers put encryption algorithms such as RSA at risk"] [Next entry: "The rise of Oracle blogging"]
August 2005
- Demystifying MS SQL Server & Oracle database server security - 08/01/2005 by 08/01/2005
- 10g Release 2 is available for download for Windows - 08/04/2005 by 08/04/2005
- Database Vendors Shouldn't Kill the Messenger - 08/05/2005 by 08/05/2005
- 10gR2 the CONNECT role has finally been sanitized - 08/06/2005 by 08/06/2005
- slashdot discussion about Mary Ann Davidsons recent news article - 08/08/2005 by 08/08/2005
- Oracle simplifies SOAs - 08/09/2005 by 08/09/2005
- Hashattack - Oracle password tool update to version 2.0 - 08/11/2005 by 08/11/2005
- Prime number researchers put encryption algorithms such as RSA at risk - 08/12/2005 by 08/12/2005
- The rise of Oracle blogging - 08/14/2005 by 08/14/2005
- Two excellent papers on a new method to combat parameter validation and SQL Injection - 08/15/2005 by 08/15/2005
- OPatch, wherefore art thou? - 08/16/2005 by 08/16/2005
- My site and Blog are available again - 08/17/2005 by 08/17/2005
- Doug talks again about ? and catpatch.sql - 08/18/2005 by 08/18/2005
- Radoslav Rusinov's Blog and mod_plsql passwords in clear text - 08/19/2005 by 08/19/2005
- Red Database Security has released a standalone Oracle password cracker - 08/22/2005 by 08/22/2005
- A second thread on c.d.o.s. about the Oracle password algorithm - 08/23/2005 by 08/23/2005
- A perl script to brute force database connections - 08/24/2005 by 08/24/2005
- Full disclosure list: Summary of the password algorithm and a C code plug-in for John The Ripper password cracker - 08/25/2005 by 08/25/2005
- Alex has released version 1.1 of Checkpwd - the Oracle dictionary password cracker - 08/26/2005 by 08/26/2005
- 1.02 Million hashes/second Oracle dictionary and brute force password cracker available - 08/27/2005 by 08/27/2005
- A career change and some site revamping - 08/29/2005 by 08/29/2005
- Alex has added a page to compare the available Oracle password crackers - 08/31/2005 by 08/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
