Litchfield plays Nathan to Oracle’s David
The Greeks believed that the Oracle at Delphi was the center of the universe (the “navel of world” they called it.) People throughout the Hellenistic (Greek) world would travel to the Oracle to ask all sorts of questions and the Oracle (specifically the priestess within the Oracle) would provide a (usually ambiguous) answer. Like most ancient cultures, the role of the Oracle was not...
Read MoreOracle Vulnerabilities and the CVSS
In the past, I’ve jumped all over Oracle about their vulnerabilty issues. So when I saw folks alleging that Oracle is potentially downplaying vulnerabilities in their software by under-weighing them (in other words, deliberately misrepresenting the seriousness of the vulnerabilities when coming up with the CVSS score), I was very interested. Here’s the background story: this month,...
Read MoreEvidence that Mary Ann Doesn’t Read the Michael Howard blog
In his entry “Security Analogies are Usually Wrong, Michael Howard does a bit of delving into the “software security by analogy” poing of view: I usually roll my eyes when I hear statements like,
Read MoreOracle on Software Security
Oracle has (probably wisely) been keeping their head down the past few months, so imagine my excitement when I saw that IDG put out this where Oracle discusses their approach to software security. And there’s some choice stuff in there – the article starts with Mary Ann Davidson commenting on the “unbreakable” campaign. Talking about her reaction when she first heard it,...
Read MoreWhipping Boy Update: Oracle
Just when you thought there was nary a peep about Oracle in the industry press, along comes Information Week with a four-page take on Oracle’s patching process. The piece highlights some of the criticism that Oracle’s had from David Litchfield, Red-Database-Security, etc. The article’s long, but well worth the read. There’s some great stuff here, and the fact that a major...
Read MoreOracle’s Hubris: Punishment is Coming
In case you missed it, Oracle has put the world on notice to “turn security rhetoric into action”. That was the theme of Evelyn Sell’s (Senior Program Manager with Oracle) presentation last week at SECURECon; basically she took the stage to tell all of us security practitioners and developers that there is no excuse for security rhetoric that isn’t backed up by action. ...
Read MoreOracle to World: “Security Mission Accomplished…”
Oracle has responded to the charges from Gartner and others that it is the new security whipping-boy by sending out the message that “it’s totally handled”. This time it’s Hasan Rizvi, VP of security products who’s sending the message: Our customers are so used to high security that when there is a vulnerability they don’t apply the fix because they are not...
Read MoreDave Litchfield Tells It Like It Is
Ever see two dogs fight? I don’t mean the “oooh, let’s roll around and get dirty” play-fighting – I mean the snarling, snapping, frothy-mouthed, “kujo” kind of fighting. For those of you that have seen that in action, concentrate on that image, and you’ll have a succinct description of the current relationship between Dave Litchfield and...
Read MoreGartner goes “Jean Claude” on Oracle
Rob over at Googgun always comes through with the good information. This time, he sent me a great link to this article describing how Gartner hammered Oracle’s security practices like when Dux landed the “Dim Mak” in Bloodsport. Granted, Gartner’s a bit late to the party on this one – a number of analysts have been critical of Oracle for a while now – but...
Read MoreInside Oracle’s Patch Kimono
Computerworld just ran a down and dirty discussion with Duncan Harris, vulnerability and patch guy over at Oracle. In the past, I’ve been critical of Oracle’s approach to patching their applications – particularly in light of opinions published by David Litchfield and others. After reading this, I’m even more critical. Take a look at some of the responses, like here...
Read MoreFriday September 10, 2010
Diana Kelley's profile