Oracle Talks Security


Oracle's chief security officer says she has a special weapon if the company's developers aren't designing products securely: She can rat them out to CEO Larry Ellison.

Mary Ann Davidson, who heads the software company's security efforts, said she's encouraged by upper management to tattle on developers who don't pay enough attention to security.

"I don't have time to have someone put four or five holes in their product," she said. "I have a silver bullet. I can rat someone out to Larry."

Davidson said she hasn't had to use that tactic much, but said the threat alone is effective. "Usually the 'I'm going to tell Larry on you' works pretty well," she said.

Davidson talked about Oracle's security measures at the Yankee Group's Securing the Enterprise conference held here Friday.

In a presentation entitled, "Making Security Part of Corporate DNA," she described Oracle's efforts to weave security into the corporate culture. Oracle touts its products as "unbreakable."

"Security needs to become part of your genetic material," Davidson told conference attendees.

Davidson outlined steps Oracle has taken, including secure coding standards that are used in product development instead of trying to add security at the end of the development cycle.

"[Security is in every single template that we use to build our products," she said.

The company's development cycle includes "ethical hacking" to test the systems, she said. "The idea is to break your own stuff before someone else does," she said.

Oracle aims to make software secure by default, something that vendors often leave to customers as a configuration issue, she said.

Patches are very disruptive for customers, who shouldn't put up with shoddy security from vendors, Davidson said.

"Customers should hold their vendors to a very high standard," she said. "The only way you can hold your vendor accountable is through your pocketbook."