The security industry is in for some turbulant times. We're gearing up for a fight to rival the last 20 minutes of Return of the King (you know, where the good guys fight the baddies on the plains of Valinor.) Everything is in place and the troops are lined up: on the one side we have the scattered resistance fighters: academia, security researchers, the security press, bloggers, etc. On the other we have the vast and "unbreakable" legions of the seemingly all-powerful Oracle.
The situation is just about to come to a head. In the past two days, we've had published academic papers describing the trivial nature of breaking Oracle passwords, and we've had chaos ensue related to the "patch maelstrom" put out by Oracle. All while we can still hear the steady and unwavering pounding of David Litchfield's war drums as he says things like:
"That was the last straw... I was extremely disgusted and upset, and I think their customers should take umbrage too. Oracle needs to re-address their security philosophies -- their understanding of what security is and what it means."
But still Oracle's propaganda machine rolls on. Highlighted in the security section of the Oracle website is an OTN interview with Mary Ann Davidson distilling Oracle's position in the following words:
Davidson: Oracle continues to look at innovative ways to prevent security faults in software development, and remediate these prior to product shipment. For example, we have done security-specific code reviews focused on finding and eliminating the most common security faults, and we are exploring a number of source code scanning tools. We are also rolling out a comprehensive class on secure coding practice.... Oracle remains second to none in its commitment to secure product development and market-leading security features... Oracle augments this with a formal secure development process, secure coding standards, worldwide training on secure coding practice, exit criteria for security for each product release, and product assessments (ethical hacking) performed by both internal personnel and selected external firms.
Mark my words: this situation is about to erupt; and when it does, there will be heavy casualties.