Oracle's Cybersecurity Czar: We Can Find Our Own Bugs, Thanks
Reverse engineering is a "sin," and bug bounties are useless, according to Oracle's cybsersecurity chief.
Image: Chang Ju Wu/Flickr
We've all had our share of embarrassing, ranty, blog posts. We can take solace in the fact that at least we published those in our personal Blogger or Tumblr.
Mary Ann Davidson, the chief security officer of Oracle, on the other hand, published her rant on the corporate blog of one of the world's largest tech companies during the age of Twitter. In her rant, which has now been deleted (but mirrored in a lot of different places), she basically told the whole security industry to stop trying to find bugs in Oracle software, because Oracle's security engineers don't need help doing their jobs.
"Writing mysteries is a lot more fun than the other type of writing I've been doing," Davidson wrote, complaining that lately she's had to tell a lot of customers to stop reverse engineering Oracle's code to find bugs, because that's not only against the company's license agreement, but it's a waste of her time.
"If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, 'static analysis of Oracle XXXXXX'), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already," she continued.
Her long post was so surprising, that some in the information security world initially believed it wasn't written by her.
A few hours after the post started making the rounds,Oracle confirmed that the company deleted it because it did not "reflect our beliefs or our relationship with our customers."
"The security of our products and services has always been critically important to Oracle," Edward Screven, the Executive Vice President and Chief Corporate Architect at the company, said in a statement. "Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure."
In the meantime, after the initial disbelief, hackers and security researchers all over Twitter are mocking the blog post.
Jokes aside, Chris Wysopal, co-founder and chief technology officer of Veracode, tweeted that Davidson's post isn't really funny, since he is among those who has gotten a letter from Oracle, warning him not to break its license agreement.
Wysopal criticized Davidson's post for being out of touch and retrograde.
"We now rely on software for everything—health, safety and well-being—and crafting a policy of 'see something, say nothing' puts us all at risk," he wrote in an email to Motherboard. "Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security."
"We now rely on software for everything—health, safety and well-being—and crafting a policy of 'see something, say nothing' puts us all at risk."
As someone noted, this is not the first time Davidson rambled against reverse engineering. In a perhaps less wordy 2011 post, Davidson seemed to take aim at the software auditing security company Veracode (without naming it), complaining about their model of offering static analysis of code (or reverse engineering) as a service.
This time, however, she also took aim at the "sinners" who use reverse engineering to file bug reports, which are often "not much more than a pile of steaming... FUD." In other words, don't even bother looking into Oracle's code because you won't find any bugs there.
And she also took a swipe at bug bounty programs, which have quickly become a very popular way for companies to reward researchers who find vulnerabilities and report them to the companies that make the software.
"Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code," Davidson wrote, explaining that Oracle doesn't do bounties because it finds 87 percent of bugs itself, so it wouldn't make economic sense.
Some in the community had a creative way of responding to her claims.
This post has been updated to include Chris Wysopal's comments, as well as Oracle's statement.