Perimeter
9/5/2011
03:04 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Don't Hate The 'Playas' -- Hate The Game

If Oracle wants to bitch about anything, it should bitch about how things get done in the halls of government -- Veracode is only trying to accelerate its growth

Per usual, there was angst and bruised egos in the security business over the past week. Who needs daytime TV when you can just follow the security industry via Twitter? It seems Oracle's CSO, Mary Ann Davidson, wrote a pretty inflammatory post decrying the need for static application security testing (SAST) services, or lack thereof, if a company is "too big to test." I wonder who she's referring to?

The post was a thinly veiled poke at Veracode for its continued efforts to get security "built in" to some federal legislation. The Veracode guys posted a pretty even-keeled response pointing out with data the issue we are all facing as security practitioners. That's the reality that most organizations crank out insecure code, which opens up trivial attack paths.

So let's just be very clear that more testing is better than less testing. Oracle (like Microsoft) has made great strides in its software security programs, but no organization is perfect, and it's critical for every end customer to make sure his technology platforms does not create exposures to its critical data. Given the continued attacks on security infrastructure (EMC/RSA, Comodo, and DigiNotar come to mind), security professionals must question not only their own infrastructure and in-house applications, but also the third party technology they buy. I don't see how SAST is contrary to that goal.

But that's not what's got me Hacked Off this month. It's Mary Ann's clear disdain for Veracode using a lobbyist to push its agenda in the halls of Washington, D.C. The implicit goal of hiring any lobbyist is to have favorable guidance and/or regulation that furthers a company's goals. In Veracode's case, it would love to get SAST to be a requirement for applications built and used by the U.S. government. To be clear, what's the issue with that?

I understand that Oracle would be open to more disclosure than it would like if SAST becomes a requirement for COTS (commercial off-the-shelf) software purchases. It would cost them more money, perhaps extend their development time lines, and force them to be accountable regarding bugs in its software that put government data at risk. The problem with that is what? We all know security by obscurity is a path to nowhere.

It's not like every other big IT company doesn't have lobbyists trolling the halls of Washington, D.C., to push their agendas. They do. Even Oracle. Maybe not about security, but when you have an "unbreakable" database, who needs to lobby on security, eh? Yeah, I couldn't resist. I guess you need to be a billion-dollar IT concern to warrant lobbyists? That's hogwash. I considered hiring lobbyists in at least two of the companies I worked for, neither of which did more than $100 million a year. We needed the visibility in D.C., and that's the way to get it. That's the game.

I wonder how many small company advisory boards Mary Ann Davidson sits on with former three- or four-star retired generals. Why does she think they are there? Because of their ability to defend the boardroom if a competitor launches a full frontal assault during a board meeting? Not likely -- they want the Generalisimo to make a few phone calls and hopefully get the company on the short list for a big contract. That's the game.

Remember that's how business gets done, at least in the military-industrial complex. It's about who you know, not what your product does. It's about how well you can navigate the contract vehicles and set up relationships with the right Beltway Bandits -- not about how well your product tests in the field. When success is based on how much favor you curry and whose back you will scratch when she takes retirement, it's very predictable that smaller companies would resort to adding high-level military folks and retain lobbyists.

It's the game. If you want to bitch about something, then bitch about how things get done in the halls of government. These companies are only trying to accelerate their growth. You can't blame them for that. They are just doing their jobs.

Don't hate the playas. Hate the game.

Mike Rothman is president of Securosis and author of "The Pragmatic CSO." Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report