Oracle exec hits out at 'patch' mentality

Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.

"What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning."

Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries.

The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.

It is now "chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance," Davidson said.

Things are so bad in the software business that it has become "a national security issue," with regulation of the industry currently on the agenda, she said. "I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated," she said, referring to the security think tank.

But if regulation is coming, the industry has only itself to blame, she said.

"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."

Davidson also hit out at the "hacking mentality," and the incidence of exploits that could cause "a million dollars worth of damage...passed around freely at conferences." She said there was a major difference between people working in the software business and engineers who "are trained to think in terms of safety, security and reliability first."

She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."

Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.

[ejevo]

Put her back on her meds

Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.

[ejevo]

Put her back on her meds

Not that I disagree with Ms. Davidson, but she does realize who she works for, correct???? She might want to guide the rest of the industry by leading Oracle to a patch-free product first.

[hutchike]

Related news stories about recent Oracle vulnerabilities

Oct 27, 2005: Flaw hunters pick holes in Oracle patches
http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl

Oct 27, 2005: Oracle password system comes under fire
http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn

Nov 1, 2005: Halloween treat for Oracle: A database worm
http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html

Seems that the pot is calling the kettle black?

Kevin

[hutchike]

Related news stories about recent Oracle vulnerabilities

Oct 27, 2005: Flaw hunters pick holes in Oracle patches
http://news.com.com/Flaw+hunters+pick+holes+in+Oracle+patches/2100-1002_3-5916171.html?tag=nl

Oct 27, 2005: Oracle password system comes under fire
http://news.com.com/Oracle+password+system+comes+under+fire/2100-1002_3-5918305.html?tag=st.rn

Nov 1, 2005: Halloween treat for Oracle: A database worm
http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html

Seems that the pot is calling the kettle black?

Kevin

[just_some_guy]

Can open source be regulated?

Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

http://news.com.com/2100-7344-6069363.html?tag=tb

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.

[Neo Con]

Open Source

Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?

Less Jobs lost to outsourcing??

Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.

[just_some_guy]

Can open source be regulated?

Now that so many open source apps are in use, would government regulation work? Open source definitely needs better quality control:

http://news.com.com/2100-7344-6069363.html?tag=tb

Fines and such work well for commercial companies, and they also need to clean up their acts.

On the bright side, if companies are held accountable for the quality of their software, we may see less jobs lost to outsourcing.

[Neo Con]

Open Source

Well, what is regulation other than "fines and such" for not doing what the government dictates?

Here's the problem: For open source, who gets held accountable? If it's the keeper of the kernel, so to speak, such regulation could effectively kill open source. What company in their right mind would allow unaccountable non-employees to contribute to their code if it could potentially expose them to fines when the bugs inevitably turn up?

Less Jobs lost to outsourcing??

Less jobs lost to outsourcing? You're kidding right? This would help to drive it even harder because as a "cost" to building software developers and testers can be found cheaper in other places such as China and India. And as some of them tout being CMM Level 5 (another joke) they will get the work too. The business people in the industry will keep pushing for cheaper labor in order to maximize the profit line, only when they begin to loose profit will they consider putting the money into the Testing/QA practices and other process related things that will make their products better. Software has always been a first to market / profit driven business, and always will be. Security and reliability are only considered when it hurts the pocket book of the CEO.
The solution to the problem is to look in the mirror and decide that an investment in internal process and Testing/QA is the way to improve the revenue stream by improving the reliability of the software. This along with higher customer satisfaction and renewal of licenses will improve the P&L. But it is a long term solution that a lot of companies do not want to invest in. The majority of software companies do not think this way.

[baswwe]

bridge makers don't have to put up with ever changing requirements

They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.

[jabbotts]

hm, I've got an old bridge running great in the new environment

With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.

[qwerty75]

Bad anology

The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.

[ktowncrazy]

re building bridges..

most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..

[baswwe]

bridge makers don't have to put up with ever changing requirements

They just have to build a bridge.

With software - the requirements are always changing by the user.

Of course some bridges don't work completely - they don't stand up to earthquakes, or can't hand an airplane crashing into them, or a boat/barge and they also get destroyed/broken. They also don't last forever and eventually fall apart.

[jabbotts]

hm, I've got an old bridge running great in the new environment

With a boot time of second, DOS runs pretty damn good in this changed environment of hardware.

Heck, I could still be happily using it for more than just a BBs platform if I didn't have to interact with other platforms. Well, and if the IP protocol support didn't suck. But then, driver support and game publishing for DOS has follen rather out of fashion.

Mind you, if I'd had access to Unix rather than Dos when I was seven I'd likely have never touched winblows.

[qwerty75]

Bad anology

The fact that software requirements can change doesn't mean that more bugs have to be introduced.

Despite this persons employer, the points are valid.

I suspect the complaints are from lazy half-ass developers who don't know 10% of what they think they do abut software security. It is alarming how many professional programmers really don't understand what is going on in hardware, thus don't understand security issues.

If the software industry doesn't start cleaning up its act and take responsibility for its products(through warranties and other guarentees), governemt will step it and that will be to the detriment of everyone.

[ktowncrazy]

re building bridges..

most bridges take 2-3 years to design,factoring in the weather,water currents,structural capabilties,then when its being built,another 2-3 years,it goes under more revisions,then its inpected,certified..and remember the engineers are certified&licenced..the last thing they want is that bridge to fail,because if it does, it will be the end of them and the companies that built it,both will be bankrupted by lawsuits...you 'softies'got it easy..

[dargon19888]

Pot calling the kettle black...

This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!

[dargon19888]

Pot calling the kettle black...

This is a hoot.

1) Software companies don't want to pay for the higher cost of doing software right.

2) Software companies learned from Gates that you need to be first to market to gain market share, then patch.

3) Not enough software engineers to meet companies demand for software.

You get the idea....

But hey! What do I know.
I *am* a software engineer!

[donaldjwood]

Software

If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.

[donaldjwood]

Software

If software vendors didn't have the EULA to protect them, software would be released as more of a finished product. As it is now, software is routinely released as a work in progress. For an example: if Microsoft were to fight as hard for the right to introduce Windows with no need for virus protection as they do for the right to add a media player, it may be worth close to what they charge for it.

[sarmasriram]

Look who is talking!!!

Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!

[sarmasriram]

Look who is talking!!!

Gee...
Of all the people... Oracle saying this? Surprising!! Not only their server systems, but their patches are also so full of bugs!

[yipcanjo]

Hysterical! I found this article...

....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D

[yipcanjo]

Hysterical! I found this article...

....while a co-worker and I were frantically attempting to install (2) Oracle 10g patches!!!

It is truly laughable :D

[CubanPete]

Unfair to Software Developers

The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!

[michaelnewport]

Mary Ann Davidson

M.A.D. enough said :)

[CubanPete]

Unfair to Software Developers

The problem with comments like this is that it makes software developers look bad, when in actual fact software developers know how to make secure and reliable software.
problem is you have managers who dont understand software quality and how long it takes to program. Less and less time is given to the coding aspect of a lifecycle and more to testing/fixing which if you do the coding right u need less time for testing/fixing, and more pressure is put on developers to rush using quick fixes instead of doing something properly!
Then higher up you have the customer who wants more, for less money in less time, its like forcing a surgeon to do a heart transplant in 5 minutes, you expect perfection in 5 minutes?

It's too easy to blame the developer, so thats what happenes!

[michaelnewport]

Mary Ann Davidson

M.A.D. enough said :)

[noahhoward]

Come again?

Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.

[noahhoward]

Come again?

Tacoma Narrows bridge anyone? Bet they wished they could have patched that one.