Menu
Oracle pulls blog post critical of security vendors, customers

Oracle pulls blog post critical of security vendors, customers

Oracle's head of security advised customers not to submit bug reports from third-party security analysis tools and services

Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.

The missive, entitled "No, You Really Can't," was issued Monday on Davidson's corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

"We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed Tuesday.

The post responds to an increasing number of static analysis reports being submitted to Oracle by its customers. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities.

Organizations may hire a third-party security consultant or program, from the likes of Veracode or Coverity, to scan the enterprise software it uses to look for as-of-yet unearthed bugs that could be exploited to gain entry to a system.

Davidson wrote that such tests are rarely necessary, and often point to flaws that don't exist.

"Most of these tools have a close to 100 [percent] false positive rate so please do not waste our time on reporting little green men in our code," she wrote.

Customers would be better served by keeping their software patched than by foraging for fresh obscure zero-day vulnerabilities, she wrote.

She reminded her customers that such scans, which inspect the object code of the actual program, violate the terms of Oracle's licensing agreements, because they constitute reverse engineering, which is the process of disassembling a technology to understand how it operates. Davidson also took a jab at bug bounty programs, in which companies such as Microsoft or Google offer cash rewards to researchers who dig up previously undiscovered software flaws. Such a program wouldn't be of much value to Oracle, since the company finds the majority of its bugs through internal testing.

Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an email statement.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitypatch managementExploits / vulnerabilitiesOracle

Slideshows

Meet the leading HP partners in New Zealand...

Meet the leading HP partners in New Zealand...

HP has recognised its top performing partners in New Zealand at the second annual 2016 HP Partner Awards, held at a glittering bash in Auckland. The HP Partner Awards recognises and celebrates excellence, growth, consistency and engagement of its top partners. This year also saw the addition of several new categories, resulting in 11 companies winning across 11 award categories.

Meet the leading HP partners in New Zealand...
Channel comes together as Ingram Micro Showcase hits Auckland

Channel comes together as Ingram Micro Showcase hits Auckland

Ingram Micro outlined its core focuses for 2017 at Showcase in Auckland, bringing together the channel for a day of engaging keynotes, compelling breakout sessions and new technologies.

Channel comes together as Ingram Micro Showcase hits Auckland
Show Comments