Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/5/2011
03:04 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Don't Hate The 'Playas' -- Hate The Game

If Oracle wants to bitch about anything, it should bitch about how things get done in the halls of government -- Veracode is only trying to accelerate its growth

Per usual, there was angst and bruised egos in the security business over the past week. Who needs daytime TV when you can just follow the security industry via Twitter? It seems Oracle's CSO, Mary Ann Davidson, wrote a pretty inflammatory post decrying the need for static application security testing (SAST) services, or lack thereof, if a company is "too big to test." I wonder who she's referring to?

The post was a thinly veiled poke at Veracode for its continued efforts to get security "built in" to some federal legislation. The Veracode guys posted a pretty even-keeled response pointing out with data the issue we are all facing as security practitioners. That's the reality that most organizations crank out insecure code, which opens up trivial attack paths.

So let's just be very clear that more testing is better than less testing. Oracle (like Microsoft) has made great strides in its software security programs, but no organization is perfect, and it's critical for every end customer to make sure his technology platforms does not create exposures to its critical data. Given the continued attacks on security infrastructure (EMC/RSA, Comodo, and DigiNotar come to mind), security professionals must question not only their own infrastructure and in-house applications, but also the third party technology they buy. I don't see how SAST is contrary to that goal.

But that's not what's got me Hacked Off this month. It's Mary Ann's clear disdain for Veracode using a lobbyist to push its agenda in the halls of Washington, D.C. The implicit goal of hiring any lobbyist is to have favorable guidance and/or regulation that furthers a company's goals. In Veracode's case, it would love to get SAST to be a requirement for applications built and used by the U.S. government. To be clear, what's the issue with that?

I understand that Oracle would be open to more disclosure than it would like if SAST becomes a requirement for COTS (commercial off-the-shelf) software purchases. It would cost them more money, perhaps extend their development time lines, and force them to be accountable regarding bugs in its software that put government data at risk. The problem with that is what? We all know security by obscurity is a path to nowhere.

It's not like every other big IT company doesn't have lobbyists trolling the halls of Washington, D.C., to push their agendas. They do. Even Oracle. Maybe not about security, but when you have an "unbreakable" database, who needs to lobby on security, eh? Yeah, I couldn't resist. I guess you need to be a billion-dollar IT concern to warrant lobbyists? That's hogwash. I considered hiring lobbyists in at least two of the companies I worked for, neither of which did more than $100 million a year. We needed the visibility in D.C., and that's the way to get it. That's the game.

I wonder how many small company advisory boards Mary Ann Davidson sits on with former three- or four-star retired generals. Why does she think they are there? Because of their ability to defend the boardroom if a competitor launches a full frontal assault during a board meeting? Not likely -- they want the Generalisimo to make a few phone calls and hopefully get the company on the short list for a big contract. That's the game.

Remember that's how business gets done, at least in the military-industrial complex. It's about who you know, not what your product does. It's about how well you can navigate the contract vehicles and set up relationships with the right Beltway Bandits -- not about how well your product tests in the field. When success is based on how much favor you curry and whose back you will scratch when she takes retirement, it's very predictable that smaller companies would resort to adding high-level military folks and retain lobbyists.

It's the game. If you want to bitch about something, then bitch about how things get done in the halls of government. These companies are only trying to accelerate their growth. You can't blame them for that. They are just doing their jobs.

Don't hate the playas. Hate the game.

Mike Rothman is president of Securosis and author of "The Pragmatic CSO." Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.