Oracle pulls blog post critical of security vendors, customers

Oracle's head of security advised customers not to submit bug reports from third-party security analysis tools and services

Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities.

The missive, entitled "No, You Really Can't," was issued Monday on Davidson's corporate blog, then pulled a few hours later. The Internet Archive captured a copy of the post.

"We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed Tuesday.

The post responds to an increasing number of static analysis reports being submitted to Oracle by its customers. Static analysis is the process of inspecting the object code, or source code, of a program to find vulnerabilities.

Organizations may hire a third-party security consultant or program, from the likes of Veracode or Coverity, to scan the enterprise software it uses to look for as-of-yet unearthed bugs that could be exploited to gain entry to a system.

Davidson wrote that such tests are rarely necessary, and often point to flaws that don't exist.

"Most of these tools have a close to 100 [percent] false positive rate so please do not waste our time on reporting little green men in our code," she wrote.

Customers would be better served by keeping their software patched than by foraging for fresh obscure zero-day vulnerabilities, she wrote.

She reminded her customers that such scans, which inspect the object code of the actual program, violate the terms of Oracle's licensing agreements, because they constitute reverse engineering, which is the process of disassembling a technology to understand how it operates. Davidson also took a jab at bug bounty programs, in which companies such as Microsoft or Google offer cash rewards to researchers who dig up previously undiscovered software flaws. Such a program wouldn't be of much value to Oracle, since the company finds the majority of its bugs through internal testing.

Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an email statement.

Tags Oraclepatch managementExploits / vulnerabilities

Show Comments