Oracle Software Security Assurance update
Hi, this is Eric Maurice again
There was a flurry of articles and blog entries written about Oracle security in recent days. I thought I would take this opportunity to discuss some aspects of Oracle Software Security Assurance, including the important role played by security researchers
First and foremost, it is important to realize that one of Oraclei??s highest priorities is the security of our customers. With Oracle Software Security Assurance, our objectives, policies, procedures, and people are all aligned with the intent of providing customers with the strongest security in all of our products.
This commitment also means that we are dedicated to enforcing good security practices throughout the lifecycle of our products in order to eliminate vulnerabilities and security flaws from those products. For example, our Secure Coding Standards have been developed over the years, and are designed to help designers create safe and secure code. Oracle Software Security Assurance also specifies procedural steps to design secure products, and periodically assess their compliance against Oraclei??s coding standards and other security requirements expressed as early as the design phase. In this area, we led the industry by example by submitting many of our products to external security evaluations, such as the Common Criteria, because in addition to clearly stating what the security capabilities of a product are, such evaluations serve as proof points that development practices are properly documented, implemented, and enforced. External security evaluations are not meant to replace proper testing during development. A little while back, Duncan Harris wrote a great blog entry describing what external security evaluations meant for Oracle.
Because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. Such flaws may be detected during internal testing, or may be discovered externally by customers and security researchers. Regardless of who discovers these issues, Oraclei??s top priority is to efficiently fix those flaws across all supported platforms in order to allow customers to maintain their security posture. This means that Oracle prioritizes those security flaws in order of severity, regardless of how they were discovered, in order to produce the appropriate fix. This also means that we acknowledge all of the vulnerabilities at the time of the issuance of the appropriate fix (for example, at the time of the Critical Patch Update) and we credit security researchers for any vulnerability they discovered in the Critical Patch Update documentation.
However, we do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing i??zero dayi?? exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack.
We closely monitor the publication of such i??zero dayi?? to assess the reality of the threat they pose, communicate our findings to our customers, and potentially issue a security fix through the Critical Patch Update or Security Alert mechanisms. Ultimately, we seek to work with security researchers as partners for the purpose of making our products more secure. Today we often contract security researchers for the purpose of white hat testing. But we do not contract security researchers for competitive research, or for the main purpose of placing them under a contractual i??obligation of silence.i??
As I previously stated, one of Oraclei??s highest priorities is the security of our customers. We believe that a key requirement to meeting this objective is to be transparent about our policies even if this sometimes means that we will be under additional public scrutiny. As opposed to trying to play the number game, and let external perception drive our security policies, we:
- Disclose the existence of vulnerabilities once cured, even if they are discovered internally.
- Prioritize vulnerabilities based on their criticality, not based on who discovered them.
This focus on i??transparencyi?? was again demonstrated recently when Oracle was one of the first companies to adopt the Common Vulnerability Scoring System (CVSS), which provides a standard-based approach to enable customers to assess the criticality of a particular vulnerability in their environment.
More than a marketing gesture, Oracle Software Security Assurance is evidence of Oraclei??s commitment to leading the software industry in terms of responsible development and security. While some people may question individual security issues that arise, they cannot dismiss the security innovations that Oracle has brought to market consistently over the last 27 years. Furthermore, they cannot contest Oraclei??s adoption of some of the most transparent and customer-focused policies in the software industry. These are evidence of an unparalleled commitment to our customersi?? security.
