Oracle security boss throws her toys out of the pram

screaming babyOracle chief security officer Mary Ann Davidson has been ranting online about people who discover security flaws in Larry Ellison’s database.

Writing in the Oracle corporate blog, Davidson appeared fed up about customers who insist on making the job harder by reverse engineering.

Davidson complains that she would rather be writing murder mysteries then telling off customers who insist on reverse engineering Oracle software code to find vulnerabilities.

“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. >

“This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your licence agreement and stop reverse engineering our code, already.”

What she is saying is for punters to stop trying to find security holes which only pull down the overall quality of Oracle products.

It is best to let Oracle professionals deal with it. In fact, as Davidson says below, leave our system alone and use your time to focus on securing your own programs, which may not be up to par.

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems.

“That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down — in short, the usual security hygiene — before they attempt to find zero day vulnerabilities in the products they are using.”

To make matters worse, she hints that  exploring Oracle code could put you in hot water when it comes to licensing agreements. If a customer uses a static analysis tool to poke about, they are “almost certainly” violating licence agreements — and so Oracle will be coming after you as a customer should you dare reveal a vulnerability to the software vendor.

Most security or scan reports handed over to Oracle by customers are often “not much more than a pile of steaming… FUD,” according to Davidson.

It is probably better that security researchers flog the zero-day vulnerabilities over the black market or release them online instead, would that be a better alternative to Oracle employees having to write strongly-worded letters against third parties, or a word from Ellison’s m’learned friend.