Oracle: Mary Ann Davidson blog 'does not reflect our beliefs or relationship with our customers'

Executive VP promises 'a robust programme of product security assurance' for licence holders

Oracle has responded more fully to yesterday's public outrage at CSO Mary Ann Davidson's blog post - which demanded customers not attempt to find and fix their own bugs in Oracle software - saying Davidson's blog "does not reflect [Oracle's] beliefs or... relationship with [its] customers".

The blog, which was quickly removed after publication, argued that "only the vendor" can and should look for bugs in its own software, and that customers "can't produce a patch for a problem".

More controversially, the blog suggested that under the terms of Oracle licensing agreements customers and consultants should "destroy the results of... reverse engineering" undertaken in an effort to fix bugs.

In response to the furore over Davidson's blog, Oracle executive vice president and chief corporate architect Edward Screven released a statement that said:

"The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure.

"We removed the post as it does not reflect our beliefs or our relationship with our customers."

Davidson's most recent blog may have been removed, but the outspoken CSO has left a trail of other customer-baiting comments behind in previous entries.

In a post entitled "Mandated Third Party Static Analysis: Bad Public Policy, Bad Security", Davidson again argued against customer or consultant interference in analyzing compiled code from vendors.

"The argument for third party code analysis is that customers would like to know that they are getting 'reasonably defect-free' code in a product," wrote Davidson.

However, she said, Oracle does not necessarily agree with the practice.

"Oracle believes third party static analysis is at best infeasible for organizations with mature security assurance practices and - well, a bad idea, not to put too fine a point on it," she continued.

Davidson said it was a "bad idea" because it resulted in "worse, not better security", "increased security risk to customers", "an increased risk of intellectual property theft" and "increased costs for commercial software providers without a commensurate increase in security".

Meanwhile, in a post entitled "Is Your Shellshocked Poodle Freaked Over Heartbleed?", also from March 2015, Davidson described "out of proportion" publicity around vulnerabilities from exploits such as Heartbleed - which at the time was supposed to affect up to 17 per cent of global OpenSSL-based servers.

"Customer panic is a good thing - sorta - if the vulnerability is the equivalent of the RMS Titanic's 'vulnerability' as exploited by a malicious iceberg," said Davidson.

"It's not a good thing if we are talking about a rowboat with a bad case of chipped paint."