It is fascinating to see how others such as
Mark Wilcox views customer assistance...
Let's analyze his response to see if additional insights will emerge...
First - make sure to read and check-back with Oracle Secure Technology Center.This is basically one-stop place for all of our security information. Oracle covers everything from OS to applications. And this location covers that breadth with links to deeper-dives.
Coverage of products doesn't equate to writing secure code. Security software does
NOT equal software security. If you want to assist customers in writing secure code then Oracle would need to publish something similar to the 19 Deadly Sins of Software Security by Michael Howard or Threat Modeling by Window Synder.
Second - our Chief Security Officer Mary Ann Davidson has been trying to get developer education ecosystem (e.g. CS programs and their cousins) to do a better job of teaching secure coding. I believe she articulated the problem very well in her post - "The Supply Chain Problem".
I like the transparency of thought that Mary Ann articulated, but also felt that Oracle needed to eat some humble pie. Shouldn't the question have been how to rally the entire industry since this problem isn't unique to Oracle alone? What would have happened if she also got industry analysts from Gartner, Forrester, Burton Group and so on along with say a listing of CIOs from Fortune enterprises to be a signatory? Imagine the possibilities if Oracle were to think more
open and pursue something larger such as the open security manifesto, kinda like the
Agile Manifesto or the
Cluetrain Manifesto. It takes a community to write secure code and Oracle isn't big enough to do it alone...
Fourth - if you do anything with the database- David Knox's Effective Oracle Database 10g Security by Design is still the go-to resource. It's book #2 on my tech shelf- after my own (me being first is mostly a vanity thing :)).
I have this book on my shelf and it is good if you want to configure products securely, but it still doesn't teach you how to write secure code. I know that Oracle internally uses products from Ounce Labs and Coverity and therefore has some knowledge of PL-SQL specific coding threats. What if the DB team were to blog exploit tips in this regard?
As an addendum - if you are writing code in ADF you should check out the new tutorial based on the new demo application - "Fusion Order Demo" . Besides learning all of the cool things ADF/JDev bring to the table
My significant other is currently working on a security application for a startup who hasn't used one iota of Microsoft technology. She will be attending a
free seminar on security hosted by Microsoft in their local office. She didn't need to be a customer nor even RSVP for that matter. The topic will be on security development lifecycles for software companies. What is the Oracle equivalent to free, technology agnostic and local?
# posted by James McGovern @ 11:45 AM
