May 26, 2006 9:44 AM PDT

Oracle exec hits out at 'patch' mentality

Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.

"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."

Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries.

The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.

It is now "chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance," Davidson said.

Things are so bad in the software business that it has become "a national security issue," with regulation of the industry currently on the agenda, she said. "I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated," she said, referring to the security think tank.

But if regulation is coming, the industry has only itself to blame, she said.

"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."

Davidson also hit out at the "hacking mentality," and the incidence of exploits that could cause "a million dollars worth of damage...passed around freely at conferences." She said there was a major difference between people working in the software business and engineers who "are trained to think in terms of safety, security and reliability first."

She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."

Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.

See more CNET content tagged:
mentality, chief security officer, Oracle Corp., reliability, exec

66 comments

Join the conversation!
Add your comment
Put her back on her meds
Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.
Posted by ejevo (134 comments )
Reply Link Flag
Put her back on her meds
Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.
Posted by ejevo (134 comments )
Reply Link Flag
Related news stories about recent Oracle vulnerabilities
Oct 27, 2005: Flaw hunters pick holes in Oracle patches
<a class="jive-link-external" href="http://news.cbsi.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl" target="_newWindow">http://news.cbsi.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl</a>

Oct 27, 2005: Oracle password system comes under fire
<a class="jive-link-external" href="http://news.cbsi.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn" target="_newWindow">http://news.cbsi.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn</a>

Nov 1, 2005: Halloween treat for Oracle: A database worm
<a class="jive-link-external" href="http://news.cbsi.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html" target="_newWindow">http://news.cbsi.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html</a>

Seems that the pot is calling the kettle black?

Kevin
Posted by hutchike (157 comments )
Reply Link Flag
Related news stories about recent Oracle vulnerabilities
Oct 27, 2005: Flaw hunters pick holes in Oracle patches
<a class="jive-link-external" href="http://news.cbsi.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl" target="_newWindow">http://news.cbsi.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl</a>

Oct 27, 2005: Oracle password system comes under fire
<a class="jive-link-external" href="http://news.cbsi.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn" target="_newWindow">http://news.cbsi.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn</a>

Nov 1, 2005: Halloween treat for Oracle: A database worm
<a class="jive-link-external" href="http://news.cbsi.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html" target="_newWindow">http://news.cbsi.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html</a>

Seems that the pot is calling the kettle black?

Kevin
Posted by hutchike (157 comments )
Reply Link Flag
Can open source be regulated?
Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

<a class="jive-link-external" href="http://news.cbsi.com/2100-7344-6069363.html?tag=tb" target="_newWindow">http://news.cbsi.com/2100-7344-6069363.html?tag=tb</a>

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Posted by just_some_guy (231 comments )
Reply Link Flag
Open Source
Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
Posted by Neo Con (428 comments )
Link Flag
Less Jobs lost to outsourcing??
Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&#38;L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
Posted by (35 comments )
Link Flag
Can open source be regulated?
Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

<a class="jive-link-external" href="http://news.cbsi.com/2100-7344-6069363.html?tag=tb" target="_newWindow">http://news.cbsi.com/2100-7344-6069363.html?tag=tb</a>

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Posted by just_some_guy (231 comments )
Reply Link Flag
Open Source
Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
Posted by Neo Con (428 comments )
Link Flag
Less Jobs lost to outsourcing??
Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&#38;L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
Posted by (35 comments )
Link Flag
bridge makers don't have to put up with ever changing requirements
They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Posted by baswwe (299 comments )
Reply Link Flag
hm, I've got an old bridge running great in the new environment
With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Posted by jabbotts (492 comments )
Link Flag
Bad anology
The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
Posted by qwerty75 (1164 comments )
Link Flag
re building bridges..
most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&#38;licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..
Posted by ktowncrazy (8 comments )
Link Flag
bridge makers don't have to put up with ever changing requirements
They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Posted by baswwe (299 comments )
Reply Link Flag
hm, I've got an old bridge running great in the new environment
With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Posted by jabbotts (492 comments )
Link Flag
Bad anology
The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
Posted by qwerty75 (1164 comments )
Link Flag
re building bridges..
most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&#38;licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..
Posted by ktowncrazy (8 comments )
Link Flag
Pot calling the kettle black...
This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!
Posted by dargon19888 (412 comments )
Reply Link Flag
Pot calling the kettle black...
This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!
Posted by dargon19888 (412 comments )
Reply Link Flag
Software
If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.
Posted by donaldjwood (11 comments )
Reply Link Flag
Software
If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.
Posted by donaldjwood (11 comments )
Reply Link Flag
Look who is talking!!!
Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
Posted by sarmasriram (7 comments )
Reply Link Flag
Look who is talking!!!
Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
Posted by sarmasriram (7 comments )
Reply Link Flag
Hysterical! I found this article...
....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D
Posted by yipcanjo (75 comments )
Reply Link Flag
Hysterical! I found this article...
....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D
Posted by yipcanjo (75 comments )
Reply Link Flag
Unfair to Software Developers
The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!
Posted by CubanPete (4 comments )
Reply Link Flag
Mary Ann Davidson
M.A.D. enough said :)
Posted by michaelnewport (2 comments )
Link Flag
Unfair to Software Developers
The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!
Posted by CubanPete (4 comments )
Reply Link Flag
Mary Ann Davidson
M.A.D. enough said :)
Posted by michaelnewport (2 comments )
Link Flag
Come again?
Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.
Posted by noahhoward (7 comments )
Reply Link Flag
Come again?
Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.
Posted by noahhoward (7 comments )
Reply Link Flag
The Pot calling the Kettle Black!
And just look who's talking... I mean this is a good example of the pot calling the kettle black... (* ROFLOL *)

Looks like they're trying to place everybody else in the same bandwagon which they've found themselves in.

But it just doesn't work that way. Some of what she says has merit, but much is ado about making them look "NOT SO BAD"! (* ROFLOL *)

Bottom Line: There is NO SUCH THING as 100% SAFE software... and thus patches are required. But she's going on and on about how to develop a 100% secure application which is just impossible.

So much for her daydreaming! (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
The Pot calling the Kettle Black!
And just look who's talking... I mean this is a good example of the pot calling the kettle black... (* ROFLOL *)

Looks like they're trying to place everybody else in the same bandwagon which they've found themselves in.

But it just doesn't work that way. Some of what she says has merit, but much is ado about making them look "NOT SO BAD"! (* ROFLOL *)

Bottom Line: There is NO SUCH THING as 100% SAFE software... and thus patches are required. But she's going on and on about how to develop a 100% secure application which is just impossible.

So much for her daydreaming! (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Software quality
I'm a bit mystified as to why execs suddenly wake up and whine
about the shoddy quality of software.

It just shows that they themselves don't have a clue about what's
going on and that they don't give a flip about EULA's. I mean,
that's for the legal eagles to worry about right?

Ever read a EULA carefully? I refer to the bit where they say: "This
software product is delivered as is and offers no guarantee of
usability whatsoever NOT EVEN FOR THE PURPOSE IT WAS SOLD
FOR". Not exact wording, but it's close enough for this purpose.
What they say is that although they will claim it's the best thing
since sliced bread, they don't have enough confidence in their
own product that they will guarantee that it will perform its base
functionality. Just that: we don't guarantee that it will actually
work.

And you believe they would be concerned with luxuries as safety
when they can't even guarantee that their product will do what
you buy it for?

Users have to realise that a large application can't be created in
three weeks time by 4 people on a shoestring budget. Execs
want that, shareholders demand it, but it doesn't work like that.
Microsoft's Vista qualms show very clearly how difficult it is to
make something as complex as an OS [and then you have to
worry about how good it will be in the end. Hint: read the
EULA ;)]
Posted by MasterAtArms (3 comments )
Reply Link Flag
Software quality
I'm a bit mystified as to why execs suddenly wake up and whine
about the shoddy quality of software.

It just shows that they themselves don't have a clue about what's
going on and that they don't give a flip about EULA's. I mean,
that's for the legal eagles to worry about right?

Ever read a EULA carefully? I refer to the bit where they say: "This
software product is delivered as is and offers no guarantee of
usability whatsoever NOT EVEN FOR THE PURPOSE IT WAS SOLD
FOR". Not exact wording, but it's close enough for this purpose.
What they say is that although they will claim it's the best thing
since sliced bread, they don't have enough confidence in their
own product that they will guarantee that it will perform its base
functionality. Just that: we don't guarantee that it will actually
work.

And you believe they would be concerned with luxuries as safety
when they can't even guarantee that their product will do what
you buy it for?

Users have to realise that a large application can't be created in
three weeks time by 4 people on a shoestring budget. Execs
want that, shareholders demand it, but it doesn't work like that.
Microsoft's Vista qualms show very clearly how difficult it is to
make something as complex as an OS [and then you have to
worry about how good it will be in the end. Hint: read the
EULA ;)]
Posted by MasterAtArms (3 comments )
Reply Link Flag
I find that ironic...
Wow, I find that to be an interesting remark from a company from which I have rarely seen such buggy products by! But hey, moral is good, double-moral must be twize as good.
Posted by mrmorris (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.