Oracle Exec Clarifies Finer Points of 'Unbreakable' Campaign


Oracle's "unbreakable" campaign isn't about security features and functions but about information assurance, said Mary Ann Davidson, chief security officer at the software giant.

"Assurance is not about bells and whistles, [or what kind of encryption and authentication you do," she said in a recent interview with CRN. "It's [about how well-formed your security mechanisms are."

One of the main ways to establish information assurance is to have an outside security evaluation, she said. Oracle in June announced that it completed its 15th independent security evaluation for its database. Completion of the Common Criteria evaluation at Evaluation Assurance Level 4 complies with a new U.S. policy that took effect on July 1 and requires federal agencies associated with national security to buy only independently evaluated products.

The independent evaluations give Oracle an edge on the competition in the federal market, Davidson said. She said the reviews have changed the way the company develops its software, produced better products and instilled a strong culture of security at Oracle. "We've done this for 10 years. It's not like we woke up yesterday and said, 'Let's pay attention to security,' " she said.

But some security experts are skeptical. "First, there's no absolute in security, so their statements are extremely bold. Second, there are many Oracle vulnerabilities published on a daily basis," said Steve Crutchley, chief security officer at 4FrontSecurity, a consulting firm in Reston, Va. "It seems they are somewhat confused on what security really is since these vulnerabilities indicate their house in not in order."

By calling itself unbreakable, Oracle has stuck its neck out on security and worked hard to address the issue, Davidson said. Oracle doesn't bash security researchers who find software vulnerabilities, but it does try to get them to understand that fixing a vulnerability requires extensive work and may take some time, she said. Most researchers understand that, but there are some who go ahead and notify the world of vulnerability before giving a vendor a chance to fix it, she said.