Menu
Oracle pulls blog post critical of security vendors, customers

Oracle pulls blog post critical of security vendors, customers

Oracle's head of security advised customers not to submit bug reports from third-party security analysis tools and services

Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.

The missive, entitled "No, You Really Can't," was issued Monday on Davidson's corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

"We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed Tuesday.

The post responds to an increasing number of static analysis reports being submitted to Oracle by its customers. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities.

Organizations may hire a third-party security consultant or program, from the likes of Veracode or Coverity, to scan the enterprise software it uses to look for as-of-yet unearthed bugs that could be exploited to gain entry to a system.

Davidson wrote that such tests are rarely necessary, and often point to flaws that don't exist.

"Most of these tools have a close to 100 [percent] false positive rate so please do not waste our time on reporting little green men in our code," she wrote.

Customers would be better served by keeping their software patched than by foraging for fresh obscure zero-day vulnerabilities, she wrote.

She reminded her customers that such scans, which inspect the object code of the actual program, violate the terms of Oracle's licensing agreements, because they constitute reverse engineering, which is the process of disassembling a technology to understand how it operates. Davidson also took a jab at bug bounty programs, in which companies such as Microsoft or Google offer cash rewards to researchers who dig up previously undiscovered software flaws. Such a program wouldn't be of much value to Oracle, since the company finds the majority of its bugs through internal testing.

Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an email statement.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitypatch managementExploits / vulnerabilitiesOracle

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments