Oracle CSO Mary Ann Davidson’s “No, You Really Can’t” blog post provoked a strong and very negative reaction in the security community.
In summary, Davidson is complaining that Oracle customers are violating their license agreements by reverse engineering software during security analyses. Oracle “[doesn’t] need or want a customer or random third party to reverse engineer [their] code to find security vulnerabilities”, so please just stop. Also, Oracle’s already really good at finding the bugs themselves, and your analysis tools produce almost 100% false positives, and your reports to us are a waste of everybody’s time, and the consultants running the tools for you are fleecing you, and the only way to find vulnerabilities is reverse engineering, and we’re not going to thank you for finding any. So, please, just stop.
It’s easy to skewer the post’s tone (condescending and peevish) and content (blustery) – plenty of others have been doing so. And it’s a little weird from the outset; Davidson says she’s writing the post to “get ahead” of a “large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it.” I wonder how large has to be to attract the attention of C-level staff at a company the size of Oracle – indeed, to motivate her to write a lengthy blog post about it.
But the real problem is the attitude Davidson displays towards customers and security researchers. Rather than cooperative, it’s begrudgingly accepting – in fact, bordering on hostile.
Oracle’s not doing themselves any favors by answering customers who find legitimate security holes with an accusation of violating their license. That sounds like a deflection, not an enthusiastic commitment to security. In fact, it’s bad for the security industry as a whole: Over the last couple of decades, third-party investigation – intensive audit or even curiosity and tinkering – has proven its value over and over by uncovering countless vulnerabilities and bad vendor practices. These are problems which would likely never have been fixed without public exposure. Contemptuously dismissing bug bounties and petulantly refusing to give credit in advisories rejects accepted practice and helps alienate the community. As one twitter user notes, it motivates security researchers to publish vulnerabilities without warning – or, worse for everybody, sell them covertly.
Security is hard. Oracle needs help with it, just like Microsoft, Google, Facebook and Apple, just like every new Web startup and old Main Street hardware store. Writing “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it” is just going to alienate researchers and customers who are helping to improve your products – and the security community as a whole. There are substantial benefits to having the industry being positive towards you and interested in cooperating. For example, CVE-2015-2655, fixed in Oracle’s July 2015 Critical Patch Update, was discovered by an outside researcher.
Oracle has retracted Davidon’s blog post and issued a statement that “the post […] does not reflect our beliefs or our relationship with our customers,” which is heartening to see – somebody at the company understands that the white hats in the industry are on the same side. Hopefully Davidson will also come to see the value in cooperation, not confrontation.