[SC-L] Silver Bullet turns 2: Mary Ann Davidson

Andrew van der Stock vanderaj at owasp.org
Wed Mar 26 18:32:37 EST 2008 

Gary,

Good interview.

The discussion on being unable to develop trust relationships with  
contractors who release exploits was interesting, and I wished that  
there was more discussion on that point. I would have thought signing  
a contract made it easier to sue for breach of contract than untested  
laws (or bad laws like the UK's RIPA), so much so you'd really think  
twice as well as the negative downside of being considered  
untrustworthy with confidential data - which is like a plague to any  
consultancy business.

I really wish Ms Davidson had gone into detail on their SDL, as to  
what is really in there, and where we could read it and review it.

Oracle's is an interesting turn around considering back in 2005 /  
2006, the research community and Oracle's relationship was at an all  
time low, essentially begging Oracle to put in an SDL and address the  
security defects properly without outside folks finding them first.

I have since read that fences have been somewhat mended between  
researchers, such as David Litchfield, and Oracle. I still wince at  
that episode - it was entirely unprofessional of Oracle to attack  
Litchfield, who was practicing responsible disclosure for up to  
600-800 days, when 30 is the norm. I personally was extremely  
unimpressed with Oracle's approach of shooting the messenger rather  
than fixing the product.

I must admit that episode led me to dismiss Oracle as the walking dead  
as they obviously couldn't be trusted with data of value, and so  
didn't follow news about Oracle ... until this interview.

I'm glad they're now using automated SCA tools and fuzzers, they're  
now finding most of the security issues themselves, have an internal  
review team, and my personal favorite - developer awareness /  
education. This is a 180 degree turnaround from the prior to 2005/2006  
era. I particularly like that she's going to the universities and ask  
them to teach coding security. This is what they SHOULD have been  
doing rather than attacking the research community.

I'm glad that Oracle is now drinking the kool aid and treating  
security as a fundamental software engineering requirement. It's about  
time.

thanks,
Andrew van der Stock
Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10

More information about the SC-L mailing list