Version: 2008
  • On CHOW: German beer: what to know

May 26, 2006 9:44 AM PDT

Oracle exec hits out at 'patch' mentality

  • 66 comments
Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.

"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."

Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries.

The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.

It is now "chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance," Davidson said.

Things are so bad in the software business that it has become "a national security issue," with regulation of the industry currently on the agenda, she said. "I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated," she said, referring to the security think tank.

But if regulation is coming, the industry has only itself to blame, she said.

"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."

Davidson also hit out at the "hacking mentality," and the incidence of exploits that could cause "a million dollars worth of damage...passed around freely at conferences." She said there was a major difference between people working in the software business and engineers who "are trained to think in terms of safety, security and reliability first."

She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."

Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.

See more CNET content tagged:
mentality, chief security officer, Oracle Corp., reliability, hacking

Add a Comment (Log in or register) Showing 1 of 3 pages (66 Comments)
Put her back on her meds
by ejevo May 26, 2006 10:13 AM PDT
Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.
Reply to this comment
Put her back on her meds
by ejevo May 26, 2006 10:13 AM PDT
Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.
Reply to this comment
Related news stories about recent Oracle vulnerabilities
by hutchike May 26, 2006 10:17 AM PDT
Oct 27, 2005: Flaw hunters pick holes in Oracle patches
http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl

Oct 27, 2005: Oracle password system comes under fire
http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn

Nov 1, 2005: Halloween treat for Oracle: A database worm
http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html

Seems that the pot is calling the kettle black?

Kevin
Reply to this comment
Related news stories about recent Oracle vulnerabilities
by hutchike May 26, 2006 10:17 AM PDT
Oct 27, 2005: Flaw hunters pick holes in Oracle patches
http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl

Oct 27, 2005: Oracle password system comes under fire
http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn

Nov 1, 2005: Halloween treat for Oracle: A database worm
http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html

Seems that the pot is calling the kettle black?

Kevin
Reply to this comment
Can open source be regulated?
by just_some_guy May 26, 2006 10:22 AM PDT
Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

http://news.com.com/2100-7344-6069363.html?tag=tb

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Reply to this comment
Open Source
by Neo Con May 26, 2006 11:05 AM PDT
Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
View reply
Less Jobs lost to outsourcing??
by May 30, 2006 8:33 AM PDT
Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
Can open source be regulated?
by just_some_guy May 26, 2006 10:22 AM PDT
Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

http://news.com.com/2100-7344-6069363.html?tag=tb

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Reply to this comment
Open Source
by Neo Con May 26, 2006 11:05 AM PDT
Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
View reply
Less Jobs lost to outsourcing??
by May 30, 2006 8:33 AM PDT
Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
bridge makers don't have to put up with ever changing requirements
by baswwe May 26, 2006 11:32 AM PDT
They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Reply to this comment
hm, I've got an old bridge running great in the new environment
by jabbotts May 26, 2006 10:16 PM PDT
With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Bad anology
by qwerty75 May 27, 2006 10:56 AM PDT
The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
re building bridges..
by ktowncrazy May 29, 2006 10:55 AM PDT
most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..
bridge makers don't have to put up with ever changing requirements
by baswwe May 26, 2006 11:32 AM PDT
They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Reply to this comment
hm, I've got an old bridge running great in the new environment
by jabbotts May 26, 2006 10:16 PM PDT
With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Bad anology
by qwerty75 May 27, 2006 10:56 AM PDT
The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
re building bridges..
by ktowncrazy May 29, 2006 10:55 AM PDT
most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..
Pot calling the kettle black...
by dargon19888 May 26, 2006 11:38 AM PDT
This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!
Reply to this comment
Pot calling the kettle black...
by dargon19888 May 26, 2006 11:38 AM PDT
This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!
Reply to this comment
Software
by donaldjwood May 26, 2006 12:04 PM PDT
If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.
Reply to this comment
Software
by donaldjwood May 26, 2006 12:04 PM PDT
If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.
Reply to this comment
Look who is talking!!!
by sarmasriram May 26, 2006 12:54 PM PDT
Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
Reply to this comment
Look who is talking!!!
by sarmasriram May 26, 2006 12:54 PM PDT
Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
Reply to this comment
Hysterical! I found this article...
by yipcanjo May 26, 2006 1:27 PM PDT
....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D
Reply to this comment
Hysterical! I found this article...
by yipcanjo May 26, 2006 1:27 PM PDT
....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D
Reply to this comment
Unfair to Software Developers
by CubanPete May 26, 2006 4:23 PM PDT
The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!
Reply to this comment
Mary Ann Davidson
by michaelnewport May 27, 2006 10:10 AM PDT
M.A.D. enough said :)
Unfair to Software Developers
by CubanPete May 26, 2006 4:23 PM PDT
The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!
Reply to this comment
Mary Ann Davidson
by michaelnewport May 27, 2006 10:10 AM PDT
M.A.D. enough said :)
Come again?
by noahhoward May 27, 2006 8:52 PM PDT
Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.
Reply to this comment
Come again?
by noahhoward May 27, 2006 8:52 PM PDT
Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.
Reply to this comment
Showing 1 of 3 pages (66 Comments)
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Oracle Corporation (-2.26%) -0.51 22.09
Dow Jones Industrials (-1.48%) -154.48 10,309.92
S&P 500 (-1.72%) -19.14 1,091.49
NASDAQ (-1.73%) -37.61 2,138.44
CNET TECH (-1.01%) -15.99 1,570.23
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right