By Bill Brenner
April 22, 2010
Oracle has had its share of criticism this past decade over coding holes
that led to many a critical patch update. As a result, CSO Mary Ann
Davidson has worked to change her company's code-writing culture.
How well that's gone is in the eye of the beholder (customer). But at
the SOURCE Boston conference Thursday, Davidson walked attendees through
the specific things Oracle has done to make security a priority from the
start of the product development process.
She acknowledged that customers have come down hard on Oracle to do
better in recent years, especially in the aftermath of acquisitions like
that of Sun Microsystems, which Davidson described as a boa constrictor
swallowing an elephant.
"Flaws can limit accountability, make it easier for someone to corrupt
systems internally and falsify measurement and reporting," she said.
"It's bad if there's a defect in your software. It's worse if a customer
gets breached while you are hosting a service for them."
She noted that a growing number of customers want third-party
organizations to look at Oracle's code. They want to know exactly what
Oracle is doing for security, she said, adding that as business becomes
more regulated, the burden on the vendor as a supplier is heavier than
ever. As Oracle acquires more technology, that pressure has been
Davidson recalled having an unpleasant conversation with a customer
about a particular product. The customer had suffered a security breach
before Oracle acquired the flawed product that was involved. Now it was
Oracle's problem, and the customer wanted to know what the company was
going to do about it.
Best Selling Security Books and More!
Shop InfoSec News