Oracle hits back at security critics

Powered by SC Magazine
 

Database vendor's claim that it is "leading the industry" greeted with
chuckles.

Oracle has lashed out against security experts who criticized the company's security record.

The database vendor is "leading the software industry in terms of responsible development and security," charged Eric Maurice, manager for security in Oracle's global technology business unit in a posting on a company blog.

Security researchers in the past weeks have targeted Oracle with multiple studies and blog postings. Both security vendor NGS Software and analyst firm Enterprise Strategy Group (ESG) have published studies comparing the number of software updates in Oracle and Microsoft databases. Both studies found that Microsoft outshone its competitor.

Argentinean security vendor Argeniss last week said that it was planning to organise a 'Week of Oracle Database Bugs'. The company said it would release details of one unpatched security vulnerability every day for one week to demonstrate the poor level of Oracle's database security. The company has since suspended the event.

Oracle's Maurice wrote his blog posting in response to "articles and blog entries", but didn't specifically mention the ESG, NGS Software or Argeniss cases.

However he appeared to address the NGS Software and ESG studies by claiming that others were "trying to play the number game" and countered that the database vendor won't let "external perception drive our security policies".

He touted the company's support for the Common Vulnerability Scoring System, a relatively new standard that provides an independent way of rating the severity of security flaws. The programme is headed up by Cisco, while Microsoft is famously absent from its supporter list.

Indirectly lashing out at Argeniss, Maurice described researchers who published zero day exploits as irresponsible.

Rich Mogull, a research vice president with Gartner who heads up the firm's Information Security and Risk practice, said that the blog posting was mostly a public relations move.

While he agreed with the database vendor that disclosing zero day vulnerabilities is irresponsible, he told vnunet.com that the vendor's claim that it is "leading the industry in terms of responsible development and security" is overblown.

"I would not say that Oracle is an industry leader yet. They need to mature as an organisation in how they manage these vulnerabilities," Mogull told vnunet.com.

"Oracle is putting practices in place, but they definitely aren’t as far along as some of the others."

He also pointed out that there hasn't yet been a large scale attack targeting Oracle databases. If such a worm would surface however, it could cause major damage to corporate data or erase it altogether.

Customers are telling Oracle that they are dissatisfied with the firm's security record and the large number of patches it releases, but they aren't yet switching to competing products, Mogull added.

"If customers start buying other products, that would cause Oracle to change very quickly."

Copyright ©v3.co.uk


Oracle hits back at security critics
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1099

Vote