Saturday, October 18, 2008

 

How Oracle can help you write more secure code...

It is fascinating to see how others such as Mark Wilcox views customer assistance...



Let's analyze his response to see if additional insights will emerge...

Coverage of products doesn't equate to writing secure code. Security software does NOT equal software security. If you want to assist customers in writing secure code then Oracle would need to publish something similar to the 19 Deadly Sins of Software Security by Michael Howard or Threat Modeling by Window Synder.

I like the transparency of thought that Mary Ann articulated, but also felt that Oracle needed to eat some humble pie. Shouldn't the question have been how to rally the entire industry since this problem isn't unique to Oracle alone? What would have happened if she also got industry analysts from Gartner, Forrester, Burton Group and so on along with say a listing of CIOs from Fortune enterprises to be a signatory? Imagine the possibilities if Oracle were to think more open and pursue something larger such as the open security manifesto, kinda like the Agile Manifesto or the Cluetrain Manifesto. It takes a community to write secure code and Oracle isn't big enough to do it alone...

I have this book on my shelf and it is good if you want to configure products securely, but it still doesn't teach you how to write secure code. I know that Oracle internally uses products from Ounce Labs and Coverity and therefore has some knowledge of PL-SQL specific coding threats. What if the DB team were to blog exploit tips in this regard?

My significant other is currently working on a security application for a startup who hasn't used one iota of Microsoft technology. She will be attending a free seminar on security hosted by Microsoft in their local office. She didn't need to be a customer nor even RSVP for that matter. The topic will be on security development lifecycles for software companies. What is the Oracle equivalent to free, technology agnostic and local?




Links to this post:

Create a Link



<< Home
| | View blog reactions


This page is powered by Blogger. Isn't yours?