Stop trying to find security glitches in our products - 'only the vendor can do that' says Oracle CSO

Mary Ann Davidson blog chastises customers trying to solve own zero-day problems in Oracle software

[UPDATE]

Mary Ann Davidson's blog has now been taken down by Oracle, as confirmed to Computing by an Oracle spokesperson.

When asked why the company had removed Davidson's blog, the spokesperson replied that Oracle has "nothing further to add at this time".

[ORIGINAL STORY]

Oracle chief security officer Mary Ann Davidson has warned customers off trying to discover and combat security problems in the vendor's software, saying "only the vendor can do that".

"I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems," Davidson writes in an outspoken entry on her company blog.

"That said, you would think that before gearing up to run that extra mile, customers would already have ensured they've identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down - in short, the usual security hygiene - before they attempt to find zero day vulnerabilities in the products they are using."

This, she said, was in response to a "large-ish uptick" in customers "reverse engineering [Oracle] code to attempt to find security vulnerabilities in it".

Davidson suggests that a customer attempting to find their own security holes is "doing the vendor's job for him/her/it", and warns customers that "a customer can't analyse the code to see whether there is a control that prevents the attack the scanning tool is screaming about", "can't produce a patch for the problem" and is "almost certainly violating the license agreement by using a tool that does static analysis" - this operating "against source code".

But Davidson's attack on customers takes a turn slightly for the bizarre when, after again reiterating that she is "not beating people up over this merely because of the license agreement", she goes on to explain that if Oracle's analysis of bugs found by users determines that they were discovered by reverse-engineering, theses users will be discouraged from doing so in future.

Not only that, but Oracle also "require[s] customers/consultants to destroy the results of such reverse engineering and confirm they have done so", Davidson writes.

Davidson also goes on to say that "if there is an actual security vulnerability, [Oracle] will fix it".

"We may not like how it was found but we aren't going to ignore a real problem - that would be a disservice to our customers," she says.

Davidson is also not a fan of the kind of "bug bounties" that the likes of Microsoft and Facebook offer:

" < Bigger sigh.>," she writes.

"Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers... to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure."

However, Davidson claims that Oracle finds 87 per cent of vulnerabilities itself, security researchers find a further three per cent, and customers find "the rest" (despite apparently not being allowed to).

"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at [three per cent] of the problem (and without learning lessons from what you find, it really is 'whack a code mole') when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking," Davidson reasons.

Computing recently covered how a study by not-for-profit organisation Campaign for Clear Licensing (CCL) found Oracle's relationship with its customers to be "hostile and filled with deep-rooted mistrust".

What do you make of Davidson's comments? Fair, or arrogant? Do you reverse-engineer Oracle's code to find bugs, and does it work for you? Or is the whole thing best left alone? Please comment below!