The Oracle CSO (Chief “Security” Officer) statements show a misunderstanding of IT security principles.
IT-Security BlogNotions post is appropriate:
That is why I came up with “Don’t Expose My Code Bro”
I am afraid that a lot of Executives do not understand security principles within the IT industry.
Let me help you understand a bit Mary Ann:
Any code that is produced, including the venerable Oracle Database software has a potential of security problems. The hackers create sophisticated attacks. Attacks that can upgrade privileges in a VM environment which you would think is safe:
My previous post http://oversitesentry.com/defcon-talk-hacking-inter-vm-instance-data/ shows the intricate nature of some attacks and research out there.
It is very difficult to figure out all of the potential attacks within your own development silos.
The seminal work of Eric Raymond with “The Cathedral and the Bazaar” explains the deficiencies of normal software development. http://www.catb.org/esr/writings/cathedral-bazaar/ (you can download the work for free now)
We need a new understanding within the security portion of IT development teams.
Why can’t we use Systems engineering and Quality Control principles?
Past post that explores this subject: http://oversitesentry.com/why-risk-management-model-failed-us/
This is a fundamental problem folks. Our executive teams do not understand the gravity of the situation, they do not understand that it is no longer enough to have an IT team working on your IT stuff.
Now you must have an IT team(highly specialized Security focus) to check the IT team taking care of you. There is too much riding on IT.
So our problem is how do we best explain that? Executives need to see examples and simple solutions – benefits. They understand risks and as time goes on we argue with ourselves if it really is as bad as we think it is.
Remember to plead with your attackers:
“Stop Attacking Me – Don’t exploit My Code Bro”
All about us at Fixvirus.com About page