From: InfoSec News (isnc4i.org)
Date: Tue Jan 15 2002 - 10:21:16 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.businessweek.com/bwdaily/dnflash/jan2002/nf20020115_8894.htm

By Alex Salkever
JANUARY 15, 2002

It's up to new Chief Security Officer Mary Ann Davidson to make the
software giant's extremely risky claim stick

Mary Ann Davidson is one cool customer -- but she has to be. As chief
security officer for database and business-software giant Oracle, her
job is making sure that its programs live up to the "Unbreakable"
claim that's at the center of an ongoing marketing campaign. The
pitch, a favorite of Oracle CEO Larry Ellison, seeks to convince
customers that Oracle software will foil any and all cyberattacks.

As Davidson well knows, such claims are anathema in the information
security community, where consensus holds that any piece of software,
no matter how secure, can be cracked. The boast has attracted a huge
spike in hacker attacks against Oracle's Web site. The company claims
that so far, none have been successful. However, security researcher
David Litchfield recently announced that he found a vulnerability in
Oracle's application-server software in December, 2001.

Davidson, one of a handful of women occupying a high rank in the
information security universe, is unfazed. She started her career as a
civil engineer working with the Navy Seabees and has spent the past 14
years with Oracle, where she ascended to the CSO slot in December. On
Jan. 11, she spoke with BusinessWeek Online Technology Editor Alex
Salkever. Here are edited excerpts of their conversation:

Q: So how did Larry Ellison convince you to sign off on the
"Unbreakable" promo campaign? I would be terrified as a chief security
officer to do that.

A: He decided to run "Unbreakable" before I started as chief security
officer, so I have an easy out. Larry has said publicly that when he
first proposed "Unbreakable," the biggest pushback he got [inside the
company] was from the server technologies group, which includes my
group.

Calling your code "Unbreakable" is like having a big bull's-eye on
your products and your firewall. Obviously, nobody wants to be a
target. But when we thought about it, we thought what does
"Unbreakable" really speak to? It speaks to product assurance. I stand
behind that commitment and our products.

Q: Do you really think the product is "Unbreakable," or is it just a
lot less breakable?

A: Well, think about what the opposite of "Unbreakable" would be: "Our
products can be broken into, and we don't care." Look, our core
customers are among the most security-conscious in the world. I
respectfully and somewhat lovingly refer to them as the professional
paranoid. I'm not allowed to say who they are, but you can guess.

Even if we don't do things perfectly but we do it much better than our
competition and customers purchase Oracle on that basis, you will see
the overall level of security improve in the industry. "Unbreakable"
gives us something to live up to. It really does concentrate the mind
wonderfully. The general thought is don't embarrass the company.
Nobody wants to be the group that makes us violate it.

Q: When did Ellison start to become interested in the idea of securing
things and making security a chief concern?

A: He has always been concerned about it, and he has always been very
knowledgeable about it. He knew that we had a security group, and he
knew what we built, down to a fairly technical understanding of the
product. But I think "Unbreakable" is a reflection of a big change.
[It used to be] security was something that only the professional
paranoid worried about. Now with the growth of the Internet, security
is something that everyone now has to be concerned about. You must
admit, from a marketing standpoint, it has a punchy sound. It's a lot
better than "Pretty Darned Good Security."

Q: How did Oracle go about securing its products? What did you do
differently?

A: Not that much different, actually. We used the same processes we
have used before in terms of putting secure programming and
development standards in place. We are being more stringent and, dare
I say, draconian, in making sure people adhere to coding standards and
product check-off lists before we ship products.

Q: Tell me more.

A: In addition to having coding standards, we make every group that
owns a line item in our product components complete a questionnaire
that is geared toward making sure we avoid the top 15 stupid security
mistakes companies get burned on. Some of the check-offs are on the
propeller-head level, like checking for buffer overflows [a security
vulnerability where a hacker can overload an entry field with
characters, causing a computer to crash and possibly allowing
cyberintruders to break into the system]. Something like 80% of all
security vulnerabilities published have to do with buffer overflows.

The check-offs go down to things like forced password changes for
default accounts. [While] a lot of it is Security 101, some of it is
more technical. With those lists, it's 100% compliance. We are not
going to allow any deviation at all.

Q: What do you think are the broad lessons the software industry could
learn from your experiences at Oracle and with "Unbreakable"?

A: You can't slap it on at the end. If you don't commit to a secure
product [throughout its entire life cycle], you can't engineer it in
at the end and expect to have secure products.

Q: What are the three most important steps any company can take to
build more secure software?

A: The line in real estate is "location, location, location." In
security, it's not as straightforward but it's the same idea --
"culture of security, culture of security, culture of security." If
you don't maintain a corporate culture that puts security as an
important thing, you can't convince your developers to make your code
as bulletproof as possible.

Q: Has security sealed any deals for you with people who were sitting
on the fence?

A: Absolutely. You have seen our marketing campaigns from the past. I
was joking we should run one that said two out of three e-paranoids
run on Oracle.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn' in the BODY
of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]