Security News > 2008 > July > A Decade of Oracle Security
http://attrition.org/security/rant/oracle01/ A Decade of Oracle Security Mon Jul 28 13:57:15 EDT 2008 Jericho (Security Curmudgeon) Oracle Corporation, one of the largest software companies in the world, has been providing database software for 30 years. What began as a U.S. intelligence agency funded relational database designed on a PDP-11 and never officially released, later turned into perhaps the largest and most prevalent commercial database used around the world. With global companies relying on Oracle databases for information management, the need for database security is critical. Despite that need, Oracle products have been plagued with all manners of security vulnerabilities that demonstrate Oracle products were not designed with security in mind. As new versions and new products are released, each is found vulnerable to critical issues that allow for trivial denial of service and complete database compromise. The last decade of Oracle product security has been dismal. In the midst of CEO Larry Ellison's promises that their database product was 'unbreakable' and CSO Mary Ann Davidson's repeated claims that security is a core facet of their software lifecycle, security researchers continue to find critical remote vulnerabilities in a bulk of their products. The history provided here is to help make Oracle customers aware of just how little security really matters to Oracle Corporation. It is past time for their customers to take the advice of Davidson and demand better from vendors. It is time for Oracle customers to demand the appointment of a Chief Security Officer that will stop the outright lies and spin-doctoring and turn their attention to the security of future products. Read the executive biography [1] of Mary Ann Davidson and determine if she is living up to her job duties. [1] http://www.oracle.com/corporate/pressroom/html/pressportal/mdavidson.html [...] _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com