May 26, 2006 9:44 AM PDT
Oracle exec hits out at 'patch' mentality
- Related Stories
-
Oracle wants to rein in database admins
April 25, 2006 -
Attack code out for Oracle database
April 20, 2006 -
When security researchers become the problem
July 27, 2005 -
Oracle dragging heels on unfixed flaws, researcher says
July 19, 2005
Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.
"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."
Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries.
The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.
It is now "chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance," Davidson said.
Things are so bad in the software business that it has become "a national security issue," with regulation of the industry currently on the agenda, she said. "I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated," she said, referring to the security think tank.
But if regulation is coming, the industry has only itself to blame, she said.
"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."
Davidson also hit out at the "hacking mentality," and the incidence of exploits that could cause "a million dollars worth of damage...passed around freely at conferences." She said there was a major difference between people working in the software business and engineers who "are trained to think in terms of safety, security and reliability first."
She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."
Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.
See more CNET content tagged:
mentality, chief security officer, Oracle Corp., reliability, exec
66 comments
Join the conversation! Add your comment (Log in or register)
<a class="jive-link-external" href="http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl" target="_newWindow">http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl</a>
Oct 27, 2005: Oracle password system comes under fire
<a class="jive-link-external" href="http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn" target="_newWindow">http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn</a>
Nov 1, 2005: Halloween treat for Oracle: A database worm
<a class="jive-link-external" href="http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html" target="_newWindow">http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html</a>
Seems that the pot is calling the kettle black?
Kevin
<a class="jive-link-external" href="http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl" target="_newWindow">http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl</a>
Oct 27, 2005: Oracle password system comes under fire
<a class="jive-link-external" href="http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn" target="_newWindow">http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn</a>
Nov 1, 2005: Halloween treat for Oracle: A database worm
<a class="jive-link-external" href="http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html" target="_newWindow">http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html</a>
Seems that the pot is calling the kettle black?
Kevin
<a class="jive-link-external" href="http://news.com.com/2100-7344-6069363.html?tag=tb" target="_newWindow">http://news.com.com/2100-7344-6069363.html?tag=tb</a>
Fines and such work well for commercial companies, and they also need to clean up their acts.
On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
<a class="jive-link-external" href="http://news.com.com/2100-7344-6069363.html?tag=tb" target="_newWindow">http://news.com.com/2100-7344-6069363.html?tag=tb</a>
Fines and such work well for commercial companies, and they also need to clean up their acts.
On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.
Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.
With software - the requirements are always changing by the user.
Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.
Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Despite this persons employer, the points are valid.
I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.
If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
With software - the requirements are always changing by the user.
Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.
Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.
Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.
Despite this persons employer, the points are valid.
I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.
If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.
1) Software companies don't want to pay for the higher cost of doing software right.
2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.
3) Not enough software engineers to meet companies demand for software.
You get the idea....
But hey! What do I know.
I *am* a software engineer!
1) Software companies don't want to pay for the higher cost of doing software right.
2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.
3) Not enough software engineers to meet companies demand for software.
You get the idea....
But hey! What do I know.
I *am* a software engineer!
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!
It is truly laughable :D
It is truly laughable :D
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?
It's too easy to blame the developer, so thats what happenes!
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?
It's too easy to blame the developer, so thats what happenes!
Looks like they're trying to place everybody else in the same bandwagon which they've found themselves in.
But it just doesn't work that way. Some of what she says has merit, but much is ado about making them look "NOT SO BAD"! (* ROFLOL *)
Bottom Line: There is NO SUCH THING as 100% SAFE software... and thus patches are required. But she's going on and on about how to develop a 100% secure application which is just impossible.
So much for her daydreaming! (* ROFLOL *)
Walt
Looks like they're trying to place everybody else in the same bandwagon which they've found themselves in.
But it just doesn't work that way. Some of what she says has merit, but much is ado about making them look "NOT SO BAD"! (* ROFLOL *)
Bottom Line: There is NO SUCH THING as 100% SAFE software... and thus patches are required. But she's going on and on about how to develop a 100% secure application which is just impossible.
So much for her daydreaming! (* ROFLOL *)
Walt
about the shoddy quality of software.
It just shows that they themselves don't have a clue about what's
going on and that they don't give a flip about EULA's. I mean,
that's for the legal eagles to worry about right?
Ever read a EULA carefully? I refer to the bit where they say: "This
software product is delivered as is and offers no guarantee of
usability whatsoever NOT EVEN FOR THE PURPOSE IT WAS SOLD
FOR". Not exact wording, but it's close enough for this purpose.
What they say is that although they will claim it's the best thing
since sliced bread, they don't have enough confidence in their
own product that they will guarantee that it will perform its base
functionality. Just that: we don't guarantee that it will actually
work.
And you believe they would be concerned with luxuries as safety
when they can't even guarantee that their product will do what
you buy it for?
Users have to realise that a large application can't be created in
three weeks time by 4 people on a shoestring budget. Execs
want that, shareholders demand it, but it doesn't work like that.
Microsoft's Vista qualms show very clearly how difficult it is to
make something as complex as an OS [and then you have to
worry about how good it will be in the end. Hint: read the
EULA ;)]
about the shoddy quality of software.
It just shows that they themselves don't have a clue about what's
going on and that they don't give a flip about EULA's. I mean,
that's for the legal eagles to worry about right?
Ever read a EULA carefully? I refer to the bit where they say: "This
software product is delivered as is and offers no guarantee of
usability whatsoever NOT EVEN FOR THE PURPOSE IT WAS SOLD
FOR". Not exact wording, but it's close enough for this purpose.
What they say is that although they will claim it's the best thing
since sliced bread, they don't have enough confidence in their
own product that they will guarantee that it will perform its base
functionality. Just that: we don't guarantee that it will actually
work.
And you believe they would be concerned with luxuries as safety
when they can't even guarantee that their product will do what
you buy it for?
Users have to realise that a large application can't be created in
three weeks time by 4 people on a shoestring budget. Execs
want that, shareholders demand it, but it doesn't work like that.
Microsoft's Vista qualms show very clearly how difficult it is to
make something as complex as an OS [and then you have to
worry about how good it will be in the end. Hint: read the
EULA ;)]