Oracle's Security AbsurdityThou Shalt Not Question Our Products, Claims Security Chief
Thou shalt not reverse engineer or inappropriately test Oracle's products, because it is prohibited by our end user licensing agreement.
That was the stunning diktat issued by Oracle CSO Mary Ann Davidson in her "No, You Really Can't" blog post - now widely mirrored across the Internet - that reads somewhere between an arrogant rant and the gonzo missive of someone who's just stumbled out of a daze. The blog has already sparked an #oraclefanfic meme celebrating the awesome power of end user licensing agreements.
"Please comply with your license agreement and stop reverse engineering our code, already."
While the blog post starts off on a sane-sounding note, it quickly gains a tone of arrogance, dismissing bug bounties as "the new boy band," likening certain types of software testing to marital infidelity, and claiming that vulnerability-scanning tools, when used incorrectly, have "close to a 100 percent false positive rate." In fact, many in the information security research community have read Davidson's post as a declaration of war.
What Davidson was highlighting was this: Customers are reverse-engineering Oracle's code to see if it's both well-written and secure, and she doesn't like that, noting that she's been having to send an increasing number of letters to customers that read: "Please comply with your license agreement and stop reverse engineering our code, already." She also accuses organizations of failing to do the security basics to prevent data breaches, such as encrypting sensitive data, before they jump to hiring a third-party crew to go looking for zero-day flaws in Oracle's products.
The message: Oracle's security chief - and to be fair, probably lots of other vendors - really hates it when customers take it upon themselves to review Oracle's code, instead of trusting Oracle. "We run tools against the source code (as well as against executable code), it's actually our job to do that, we don't need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don't go there," she writes.
Don't Forget Java
While the missive might be forgiven as eccentricity from a company that had a proven, ironclad security track record, don't forget that Oracle is the company that brings you the Java Web browser plug-in, which - after Flash - currently ranks as the second-most successfully exploited piece of code by online attackers. Furthermore, many Java flaws have been unearthed not by Oracle, but by third-party researchers, who share those details with Oracle rather than selling them to the highest bidder on the black market, where they could be weaponized and used to silently compromise Oracle product users.
Oracle has a number of well-known - and respected - security researchers on staff. But simply saying "trust us" does not cut it.
Declaiming that the end user license agreement prohibits customers from running certain types of checks on Oracle's software also misses this real-world point: Plenty of others won't be playing by those rules. "The security research community, both friendly and adversarial, doesn't have a concept of 'No, You Really Can't' - the title of Mary Ann Davidson's post," says Casey Elllis, CEO of crowdsourced bug-finding firm Bugcrowd, in a blog post. "They challenge assumptions and find out how things actually work, as opposed to how they are supposed to work. This feature is precisely what makes the good guys valuable, and the bad guys particularly scary."
In fact, by angering the security research community, Davidson may find that many more security researchers will now start looking for exploitable flaws in the 1,333 products or components that Oracle supports.
Finding new bugs may not be difficult, says ERP researcher Polyakov Alexander, CTO and founder of the Enterprise Application Security Project, who says that many of the more than 30 flaws he's discovered to date in Oracle products - and helped the company fix - should have been spotted during quality-assurance testing, before Oracle shipped the product or update. "For most of the issues I've found, I did not use any reverse-engineering tools, I just tried to enter data in the field where nobody expected this type of data," he says. "Simple? Yes! And that works!"
Oracle has already excised Davidson's blog post from its site. "We removed the post as it does not reflect our beliefs or our relationship with our customers," Edward Screven, Oracle's vice president and chief corporate architect, says in an emailed statement. "The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure."
But some things cannot be unsaid, and security experts are continuing to debate the effect on Oracle's relationship with its customers, as well as the research community.
Where's the Confidence?
In her blog post, Davidson says that rather than sending threatening letters to clients about the EULA, she always offers "to explain what we do to build assurance into our products, including how we use vulnerability finding tools." She adds: "I want customers to have confidence in our products and services."
Davidson's blog post, however, seems to have the opposite effect. Whether that has an impact on the organizations that now use Oracle's products remains to be seen, but Belgian-based information security professional Dirk Praet argues that customers' confidence in Davidson and Oracle's security practices is likely now at an all-time low.
@euroinfosec It will almost certainly change Oracle's relation with her. No CxO can be this out of touch without becoming a public liability” Dirk Praet (@DPRamone) August 11, 2015
In fact, many security experts are now questioning Oracle's approach to security. Notably, the company has no program akin to Microsoft's Trustworthy Computing initiative, launched by Bill Gates in 2003, which promised to take security seriously, issue monthly patch updates, and be more transparent with customers. Eventually, Microsoft also got smart about working with - not against - the security research community.
Jeremiah Grossman, CTO of application security vendor WhiteHat, and co-founder of the Web Application Security Consortium, says it's time for Oracle to show that it too takes security seriously, by launching its own Trustworthy Computing program.
I hope Oracle will soon issue a Microsoft-style Trustworthy Computing memo. Their software is too important for the current policy to stand.” Jeremiah Grossman (@jeremiahg) August 11, 2015
Instead of threatening legal action against customers with valid concerns about Oracle's products, it's time for Oracle to do a better job of not just saying, but proving, that it takes security - and the security research community - seriously.
Principal Correspondent Varun Haran also contributed to this post.