Source ^ :
Source ^ :
Whats your take on this?Quote said:Oracle’s chief security officer, Mary Ann Davidson, would really, really like it if the company’s customers and independent security researchers would stop performing any kind of analysis on the company’s code base. And she probably has a new mystery novel coming out soon!
In a now-deleted blog post, Davidson name-dropped her non-de-plume as a mystery author (she works in collaboration with her sister), before getting to the heart of the matter — she’s just plain sick and tired of pesky customers who hire independent contractors or analysts to perform a code analysis of Oracle software, then have the gall to send those analyses to Oracle and claim there might be a problem. Thanks to the magic of Google and some annoyed researchers, her post remains available in various corners of the web.
In the post, Davidson acknowledges that the current state of Internet security is enough to make anyone paranoid, but then states that consumers should take every possible step to lock down every possible flaw before even considering performing a code analysis. She’d also like you to know that under the terms of the Oracle license agreement, you are explicitly forbidden from performing that analysis anyway, regardless of how important you think it is.
The entire post is a masterful exercise in condescension to the same customers that pay her company huge licensing fees. Customer concern about zero-day exploits is dismissed as hyperventilating. According to Davidson, customers should be “talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or ‘good code’ seals) like Common Criteria certifications or FIPS-140 certifications.” Actual research is for chumps and license violators — real customers know that security is provided by a logo, a sticker, and a bit of glue.
Mary Ann Davidson. The title on the slide really makes this work.
The worst customers are the ones who use tools (or hire analysts to use tools) and then submit those reports to Oracle and ask for clarification over whether or not a detected flaw is actually real. Davidson correctly notes that scan reports aren’t actually proof of a real problem, but if Oracle detects that a report was generated by reverse-engineering their code, “we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”
Sinning. A word generally defined as an immoral act considered to be a transgression against divine law. I’m no religious scholar, but I don’t recall the Gospel According to EULA, in which Christ rails against security consultants and declares “Blessed are the naively trusting, for they shall not be hacked.” Davidson hates code analysis, as she makes clear in other blog posts.
I’d just like to take a moment to remind everyone that Oracle — the company screaming “No, seriously, TRUST US,” also maintains and continues to ship Java.
That is all.