Oracle hits back at security critics

Powered by SC Magazine
 

Database vendor's claim that it is "leading the industry" greeted with
chuckles.

Oracle has lashed out against security experts who criticized the company's security record.

The database vendor is "leading the software industry in terms of responsible development and security," charged Eric Maurice, manager for security in Oracle's global technology business unit in a posting on a company blog.

Security researchers in the past weeks have targeted Oracle with multiple studies and blog postings. Both security vendor NGS Software and analyst firm Enterprise Strategy Group (ESG) have published studies comparing the number of software updates in Oracle and Microsoft databases. Both studies found that Microsoft outshone its competitor.

Argentinean security vendor Argeniss last week said that it was planning to organise a 'Week of Oracle Database Bugs'. The company said it would release details of one unpatched security vulnerability every day for one week to demonstrate the poor level of Oracle's database security. The company has since suspended the event.

Oracle's Maurice wrote his blog posting in response to "articles and blog entries", but didn't specifically mention the ESG, NGS Software or Argeniss cases.

However he appeared to address the NGS Software and ESG studies by claiming that others were "trying to play the number game" and countered that the database vendor won't let "external perception drive our security policies".

He touted the company's support for the Common Vulnerability Scoring System, a relatively new standard that provides an independent way of rating the severity of security flaws. The programme is headed up by Cisco, while Microsoft is famously absent from its supporter list.

Indirectly lashing out at Argeniss, Maurice described researchers who published zero day exploits as irresponsible.

Rich Mogull, a research vice president with Gartner who heads up the firm's Information Security and Risk practice, said that the blog posting was mostly a public relations move.

While he agreed with the database vendor that disclosing zero day vulnerabilities is irresponsible, he told vnunet.com that the vendor's claim that it is "leading the industry in terms of responsible development and security" is overblown.

"I would not say that Oracle is an industry leader yet. They need to mature as an organisation in how they manage these vulnerabilities," Mogull told vnunet.com.

"Oracle is putting practices in place, but they definitely aren’t as far along as some of the others."

He also pointed out that there hasn't yet been a large scale attack targeting Oracle databases. If such a worm would surface however, it could cause major damage to corporate data or erase it altogether.

Customers are telling Oracle that they are dissatisfied with the firm's security record and the large number of patches it releases, but they aren't yet switching to competing products, Mogull added.

"If customers start buying other products, that would cause Oracle to change very quickly."

Copyright ©v3.co.uk


Oracle hits back at security critics
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1064

Vote