Perimeter
9/5/2011
03:04 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Don't Hate The 'Playas' -- Hate The Game

If Oracle wants to bitch about anything, it should bitch about how things get done in the halls of government -- Veracode is only trying to accelerate its growth

Per usual, there was angst and bruised egos in the security business over the past week. Who needs daytime TV when you can just follow the security industry via Twitter? It seems Oracle's CSO, Mary Ann Davidson, wrote a pretty inflammatory post decrying the need for static application security testing (SAST) services, or lack thereof, if a company is "too big to test." I wonder who she's referring to?

The post was a thinly veiled poke at Veracode for its continued efforts to get security "built in" to some federal legislation. The Veracode guys posted a pretty even-keeled response pointing out with data the issue we are all facing as security practitioners. That's the reality that most organizations crank out insecure code, which opens up trivial attack paths.

So let's just be very clear that more testing is better than less testing. Oracle (like Microsoft) has made great strides in its software security programs, but no organization is perfect, and it's critical for every end customer to make sure his technology platforms does not create exposures to its critical data. Given the continued attacks on security infrastructure (EMC/RSA, Comodo, and DigiNotar come to mind), security professionals must question not only their own infrastructure and in-house applications, but also the third party technology they buy. I don't see how SAST is contrary to that goal.

But that's not what's got me Hacked Off this month. It's Mary Ann's clear disdain for Veracode using a lobbyist to push its agenda in the halls of Washington, D.C. The implicit goal of hiring any lobbyist is to have favorable guidance and/or regulation that furthers a company's goals. In Veracode's case, it would love to get SAST to be a requirement for applications built and used by the U.S. government. To be clear, what's the issue with that?

I understand that Oracle would be open to more disclosure than it would like if SAST becomes a requirement for COTS (commercial off-the-shelf) software purchases. It would cost them more money, perhaps extend their development time lines, and force them to be accountable regarding bugs in its software that put government data at risk. The problem with that is what? We all know security by obscurity is a path to nowhere.

It's not like every other big IT company doesn't have lobbyists trolling the halls of Washington, D.C., to push their agendas. They do. Even Oracle. Maybe not about security, but when you have an "unbreakable" database, who needs to lobby on security, eh? Yeah, I couldn't resist. I guess you need to be a billion-dollar IT concern to warrant lobbyists? That's hogwash. I considered hiring lobbyists in at least two of the companies I worked for, neither of which did more than $100 million a year. We needed the visibility in D.C., and that's the way to get it. That's the game.

I wonder how many small company advisory boards Mary Ann Davidson sits on with former three- or four-star retired generals. Why does she think they are there? Because of their ability to defend the boardroom if a competitor launches a full frontal assault during a board meeting? Not likely -- they want the Generalisimo to make a few phone calls and hopefully get the company on the short list for a big contract. That's the game.

Remember that's how business gets done, at least in the military-industrial complex. It's about who you know, not what your product does. It's about how well you can navigate the contract vehicles and set up relationships with the right Beltway Bandits -- not about how well your product tests in the field. When success is based on how much favor you curry and whose back you will scratch when she takes retirement, it's very predictable that smaller companies would resort to adding high-level military folks and retain lobbyists.

It's the game. If you want to bitch about something, then bitch about how things get done in the halls of government. These companies are only trying to accelerate their growth. You can't blame them for that. They are just doing their jobs.

Don't hate the playas. Hate the game.

Mike Rothman is president of Securosis and author of "The Pragmatic CSO." Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.