David Litchfield delivers some very strong medicine to Oracle in his open letter, “Complete failure of Oracle security response and utter neglect of their responsibility to their customers“. I wrote about Oracle’s bad attitude a few months ago, and it doesn’t seem to be getting better. His conclusion:
What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA, no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ?
A good CSO needs to more than just a mouthpiece. They need to be able to deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings. Oracle’s CSO has had five years to make improvements to the security of their products and their security response but in this time I have seen none. It is my belief that the CSO has categorically failed. Oracle security has stagnated under her leadership and it’s time for change.
I urge Oracle customers to get on the phone, send a email, demand a better security response; demand to see an improvement in quality. It’s important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it.