Wednesday, 12 August 2015

The All-Knowing-Oracle

crystal-ballOracle’s CSO, Mary Ann Davidson, provided a wonderful of example of how not to handle having your products reverse engineered.

Her original post has been removed, but there’s a copy of it on Scribd. It’s worth reading, if you haven’t seen it yet.

I think I get where she is coming from, on her original post. If people are using automated static analysis tools to report issues and either it isn’t actually a security issue or it’s something Oracle is already aware of and is working on, I can certainly understand how that might be a drain on their resources and their time could be better spent on finding real issues themselves.

That being said, I can’t believe that a company — especially one the size of Oracle — can think that the “Pay no attention to the man behind the curtain” approach is an effective strategy.

People are going to try to look at your code. Even if not your customers, the ‘bad guys’ certainly will. Taking a stance of “if there’s a security issue, we’ll find it on our own” isn’t helping anyone.

Ultimately, if someone running an automate tools or performing a basic static analysis is able to uncover actual issues in Oracle’s products, that’s stuff Oracle should have found on its own. If it’s mostly false-positives and duplicates that are the issue, Oracle isn’t doing a good job of clearly exposing that to their customers.

I like how Bugcrowd and similar services do it… Companies with a mature security program can define boundaries. There is a monetary incentive to follow the rules and proper procedures. Even if something happens to fall outside the scope of the bug bounty program, they are still likely to have the ability to work with the person to ensure the issue is validated and fixed within a reasonable amount of time.

The biggest downside I see with the current bug-bounty programs is that products not part of the bounty are probably worthwhile targets. The product might not get much attention internally and was simply forgotten about. A vendor might also not list it because they already know/suspect there are a lot of bugs in it. Either way, what isn’t part of a bug bounty program can sometimes be even more interesting than what is… At least if you don’t care about the rewards.

Hopefully Oracle will eventually shift more towards the bug bounty style. As it is now, it seems like they view it as purely an ‘us vs them’ approach. Where bug bounties really shine, though, is when the internal team is able to collaborate with external researchers.

I wonder how much (if any) competitive advantage the SQL Server platform has over Oracle, given the difference in how Microsoft handles the discovery and reporting of issues in their products versus Oracle. Maybe that could be a motivating factor for them to change their approach…

Saturday, 1 August 2015

Books to read in 2015

booksHere are five books I’d recommend checking out, if you haven’t already read them.

  • #1 — The Pragmatic Programmer — This is, by far, one of my favorite development books and I recommend everyone read it at least once.
  • #2 — Gray Hat Hacking – The Ethical Hacker’s Handbook — While not specifically geared towards software development, there are plenty of topics that developers should consider giving some thought to.
  • #3 — Threat Modeling: Designing for Security — Even in eBook format, this book is massive. No matter whether you’re building applications for mobile devices, websites, or desktops, there’s something to be gained from this book.
  • #4 — Official (ISC)2 Guide to the CSSLP CBK — Even if you are not going for the CSSLP certification, there are still some great concepts developers should keep in mind throughout the SDLC.
  • #5 — Job Reconnaissance: Using Hacking Skills to Win the Job Hunt Game — Another one that’s not specifically geared towards developers, but I found the advice to be quite useful. Even if you are a highly technical individual, controlling your ‘brand’ is important. I also like the idea of doing a bit of reconnaissance early on to find specific companies of interest, rather than relying on a company to find you.