Oracle CSO Scolds Customers For Scanning Software For Security Bugs

Oracle Chief Security Officer Mary Ann Davidson, in a blog post published Monday, which has been removed, railed against customers and consultants for scanning the company's software for security bugs -- an act that she characterized as a violation of their licensing agreement with the vendor.

Davidson said Oracle has seen a large uptick in customers and consultants actively reverse engineering Oracle software to search for security vulnerabilities. While this is understandable given the pace with which new security threats are emerging, Davidson said it's not necessary for customers to do this because Oracle has the situation under control.

"I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100 percent false positive rate so please do not waste our time on reporting little green men in our code," Davidson said in the blog post.

[Related: DataGravity Updates Security-Focused Data-Aware Storage Platform]

Customers, Davidson said, would be better served focusing on the basics, like patching, configuring and encryption appropriate data, instead of trying to hunt down new zero-day vulnerabilities in their vendor solutions.

"Often, [the vulnerabilities] are not much more than a pile of steaming … [fear, uncertainty and doubt]," Davidson said in the blog post.

Davidson said Oracle has been sending notices to customers and partners that have been reverse engineering its solutions. Not only is this a licensing agreement violation, it is a waste of time for Oracle, according to Davidson.

"I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are," Davidson said in the blog post. "I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise."

An executive at an Oracle partner, who didn't want to be named, said Davidson made an understandable point about violations of the license agreement. However, he said Davidson's tone was "patronizing" and "basically compares Oracle customers to whiny children."

"This is an attitude that is pervasive among long-serving Oracle management, who view their customer base as ultimately at their mercy for contract and support issues," the executive said.

In an email statement to CRN, Oracle Executive Vice President and Chief Corporate Architect Edward Screven said security of the vendor's products and services is "critically important" to the company.

"The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers," Screven said in the statement.

PUBLISHED AUG. 11, 2015