Oracle hits back at security critics

Powered by SC Magazine
 

Database vendor's claim that it is "leading the industry" greeted with
chuckles.

Oracle has lashed out against security experts who criticized the company's security record.

The database vendor is "leading the software industry in terms of responsible development and security," charged Eric Maurice, manager for security in Oracle's global technology business unit in a posting on a company blog.

Security researchers in the past weeks have targeted Oracle with multiple studies and blog postings. Both security vendor NGS Software and analyst firm Enterprise Strategy Group (ESG) have published studies comparing the number of software updates in Oracle and Microsoft databases. Both studies found that Microsoft outshone its competitor.

Argentinean security vendor Argeniss last week said that it was planning to organise a 'Week of Oracle Database Bugs'. The company said it would release details of one unpatched security vulnerability every day for one week to demonstrate the poor level of Oracle's database security. The company has since suspended the event.

Oracle's Maurice wrote his blog posting in response to "articles and blog entries", but didn't specifically mention the ESG, NGS Software or Argeniss cases.

However he appeared to address the NGS Software and ESG studies by claiming that others were "trying to play the number game" and countered that the database vendor won't let "external perception drive our security policies".

He touted the company's support for the Common Vulnerability Scoring System, a relatively new standard that provides an independent way of rating the severity of security flaws. The programme is headed up by Cisco, while Microsoft is famously absent from its supporter list.

Indirectly lashing out at Argeniss, Maurice described researchers who published zero day exploits as irresponsible.

Rich Mogull, a research vice president with Gartner who heads up the firm's Information Security and Risk practice, said that the blog posting was mostly a public relations move.

While he agreed with the database vendor that disclosing zero day vulnerabilities is irresponsible, he told vnunet.com that the vendor's claim that it is "leading the industry in terms of responsible development and security" is overblown.

"I would not say that Oracle is an industry leader yet. They need to mature as an organisation in how they manage these vulnerabilities," Mogull told vnunet.com.

"Oracle is putting practices in place, but they definitely aren’t as far along as some of the others."

He also pointed out that there hasn't yet been a large scale attack targeting Oracle databases. If such a worm would surface however, it could cause major damage to corporate data or erase it altogether.

Customers are telling Oracle that they are dissatisfied with the firm's security record and the large number of patches it releases, but they aren't yet switching to competing products, Mogull added.

"If customers start buying other products, that would cause Oracle to change very quickly."

Copyright ©v3.co.uk


Oracle hits back at security critics
 
 
 
Top Stories
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
Photos: A tour of CommBank's new innovation lab
Oculus Rift, Kinect and more.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  12%
 
Software development
  27%
TOTAL VOTES: 228

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 69

Vote