Inside Oracle's security assurance program

Inside Oracle's security assurance program
Inside Oracle's security assurance program 

By Bill Brenner
Senior Editor
April 22, 2010

Oracle has had its share of criticism this past decade over coding holes 
that led to many a critical patch update. As a result, CSO Mary Ann 
Davidson has worked to change her company's code-writing culture.

How well that's gone is in the eye of the beholder (customer). But at 
the SOURCE Boston conference Thursday, Davidson walked attendees through 
the specific things Oracle has done to make security a priority from the 
start of the product development process.

She acknowledged that customers have come down hard on Oracle to do 
better in recent years, especially in the aftermath of acquisitions like 
that of Sun Microsystems, which Davidson described as a boa constrictor 
swallowing an elephant.

"Flaws can limit accountability, make it easier for someone to corrupt 
systems internally and falsify measurement and reporting," she said. 
"It's bad if there's a defect in your software. It's worse if a customer 
gets breached while you are hosting a service for them."

She noted that a growing number of customers want third-party 
organizations to look at Oracle's code. They want to know exactly what 
Oracle is doing for security, she said, adding that as business becomes 
more regulated, the burden on the vendor as a supplier is heavier than 
ever. As Oracle acquires more technology, that pressure has been 

Davidson recalled having an unpleasant conversation with a customer 
about a particular product. The customer had suffered a security breach 
before Oracle acquired the flawed product that was involved. Now it was 
Oracle's problem, and the customer wanted to know what the company was 
going to do about it.


Best Selling Security Books and More!
Shop InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods