Tuesday, February 07, 2006

Oracle security interview - thoughts

Interesting article through Pete Finnegan's blog from an interview with one of oracle's security people.

A few quotes:
"We don’t hide our internally discovered vulnerabilities. When we discover something internally, we still mention it in our Critical Patch Updates."

"There are others [security researchers] who for their own good reasons choose to pressure us and put our customers at risk by a partial or early or zero-day disclosure of vulnerabilities in Oracle products."

So let me get this straight. If Oracle employees find a bug, then disclose it, it is a GOOD THING. If external parties practise partial disclosure, they are putting customers at risk. The exact meaning of 'zero day' disclosure is debateable. If it means disclosure prior to informing Oracle, then there is no excuse and it is BAD. They MAY mean disclosure before Oracle have patched it, but then what is "early disclosure" ?
Where they are referring to disclosure before a patch is available, there is room for debate. If there is a potential workaround to reduce risk, then publicising the issue plus the workaround, could benefit some customers.

"If you look at all of the vulnerabilities that my security group handles, we discover about 75% of them. About 10% is reported to us by our customers. The remainder comes to us through external security researchers. "

Mostly figures should add up to 100% but I don't think this is one of them. Remember, Oracle don't publicise bugs before they patch them, so a vulnerability could be 'discovered' by customers, researchers AND internal Oracle staff, just like America being discovered by the Carthaginians, Vikings, Chinese, Columbus, and so on (not to mention people already actually living there).



2 comments:

Peter K said...

Gary,
I think Oracle meant that even though their employees discovered security bugs/flaws, they are still disclosed in the CPU along with the fixes.

It's a slippery slope as a fix if not fully tested could break a lot of things.

Gary Myers said...

I agree. I'd add that I think the details they supply in their CPU are more targetted at 'what they've fixed, and so what you need to test' than letting you know what the fixed vulnerabilty actually was.

I felt the Oracle representative interviewed overly critical of security reasearchers who don't abide by Oracle's policies. I think there's room for professional disagreement. Sometimes Oracle will be right, sometimes the security reasearchers will be right.