Oracle CSO: Security must be baked into coding culture

By Bill Brenner, News Writer 06 Dec 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Though Oracle CSO Mary Ann Davidson has lead a push for more secure software, her company has seen its share of criticism this year over how long it takes to acknowledge vulnerabilities and issue patches.

After releasing patches when needed and then, briefly, monthly, the tech giant eventually settled on a quarterly patching schedule, a move based on customer feedback. The solution isn't perfect, Davidson admits. After all, the key is to produce software that doesn't need patching in the first place. But it was a step in the right direction.

That's how she saw the industry as a whole in 2004: Not perfect in its approach to security, but better than the year before.

More on Oracle's patching Oracle patches now on quarter system The monthly patch plan didn't go over too well with customers. So starting Jan. 18, Oracle Corp. will issue vulnerability alerts and fixes on a quarterly basis.

In an interview Friday, Davidson said the next and most important step is to bake security into the coding culture.

"You see more vendors focusing on the security of their software," Davidson said. "The National Cybersecurity Partnership met last December, and the main discussion was about what we need to do to implement national cyberspace security plans and how vendors can get together and raise the bar. There's a general realization that this affects all of us."

Better security on demand
Davidson believes that realization has been driven by customer demand.

"I see more interest among customers for security assurance," she said. "In May there was a business roundtable -- CEOs from 15 of the nation's largest companies -- and they broadsided the [tech] industry, telling the industry that many of their costliest problems were from poor quality software. They were essentially saying, 'We're mad as hell and we need you to step up.'"

She added: "Microsoft realized security was an absolutely critical issue for them because it's critical to [its] customers. If you know what your customers are doing, that your product is the backbone of their operation, you have that accountability. One reason vendors played the rush-to-market game for so long is because it worked for a long time. I don't think that works anymore. Customers are asking smarter, more pointed questions."

Coding culture must change
Despite this progress, Davidson said there are still serious problems at the development stage. Until that changes, she said the battle will never be won.

"You really need a revolution in the IT industry," she said. "There's still a cultural problem. If engineers built bridges as software developers build software, there wouldn't be a bridge standing. The software industry still doesn't have that mentality. That mental shift has not taken place."

To force a change in the coding culture, Davidson said the answer might be a separate accreditation process focused on software development or other forms of certification to crank up the pressure.

"I don't want to denigrate people who have done marvelous things with software, but they need to focus on security before they do all the wonderful things," she said. "The good news is there are universities out there looking at how they can crank out developers who better understand this."

Oracle's patching challenge
Davidson said Oracle's monthly cycle was never set in stone. "It was widely reported that we went to monthly patches," she said. "What I actually said was that we were moving to monthly and we were. We were thinking monthly because that's what Microsoft was doing. Then questions came up about how quickly you could reasonably do the patching."

In Oracle's case, she said patching is not the same as it is with Microsoft. "It's different to patch the core database that holds your secrets," she said. "There were customers who had never patched because the database was too important to ever touch. It's a huge deal for them to touch their systems. They did not want it to be monthly. It could be a million-dollar process for them. I don't worry about head-to-head comparisons [with Microsoft]. I worry about how to meet the needs of our customers."

In the final analysis, she said a company like Oracle wants to be good at patching because it's easier for customers. "On the other hand, you don't want to get good at it because you never want to become comfortable about patching," she said. "You don't want your software to need patching in the first place."

Tags: Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary