Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/5/2011
03:04 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Don't Hate The 'Playas' -- Hate The Game

If Oracle wants to bitch about anything, it should bitch about how things get done in the halls of government -- Veracode is only trying to accelerate its growth

Per usual, there was angst and bruised egos in the security business over the past week. Who needs daytime TV when you can just follow the security industry via Twitter? It seems Oracle's CSO, Mary Ann Davidson, wrote a pretty inflammatory post decrying the need for static application security testing (SAST) services, or lack thereof, if a company is "too big to test." I wonder who she's referring to?

The post was a thinly veiled poke at Veracode for its continued efforts to get security "built in" to some federal legislation. The Veracode guys posted a pretty even-keeled response pointing out with data the issue we are all facing as security practitioners. That's the reality that most organizations crank out insecure code, which opens up trivial attack paths.

So let's just be very clear that more testing is better than less testing. Oracle (like Microsoft) has made great strides in its software security programs, but no organization is perfect, and it's critical for every end customer to make sure his technology platforms does not create exposures to its critical data. Given the continued attacks on security infrastructure (EMC/RSA, Comodo, and DigiNotar come to mind), security professionals must question not only their own infrastructure and in-house applications, but also the third party technology they buy. I don't see how SAST is contrary to that goal.

But that's not what's got me Hacked Off this month. It's Mary Ann's clear disdain for Veracode using a lobbyist to push its agenda in the halls of Washington, D.C. The implicit goal of hiring any lobbyist is to have favorable guidance and/or regulation that furthers a company's goals. In Veracode's case, it would love to get SAST to be a requirement for applications built and used by the U.S. government. To be clear, what's the issue with that?

I understand that Oracle would be open to more disclosure than it would like if SAST becomes a requirement for COTS (commercial off-the-shelf) software purchases. It would cost them more money, perhaps extend their development time lines, and force them to be accountable regarding bugs in its software that put government data at risk. The problem with that is what? We all know security by obscurity is a path to nowhere.

It's not like every other big IT company doesn't have lobbyists trolling the halls of Washington, D.C., to push their agendas. They do. Even Oracle. Maybe not about security, but when you have an "unbreakable" database, who needs to lobby on security, eh? Yeah, I couldn't resist. I guess you need to be a billion-dollar IT concern to warrant lobbyists? That's hogwash. I considered hiring lobbyists in at least two of the companies I worked for, neither of which did more than $100 million a year. We needed the visibility in D.C., and that's the way to get it. That's the game.

I wonder how many small company advisory boards Mary Ann Davidson sits on with former three- or four-star retired generals. Why does she think they are there? Because of their ability to defend the boardroom if a competitor launches a full frontal assault during a board meeting? Not likely -- they want the Generalisimo to make a few phone calls and hopefully get the company on the short list for a big contract. That's the game.

Remember that's how business gets done, at least in the military-industrial complex. It's about who you know, not what your product does. It's about how well you can navigate the contract vehicles and set up relationships with the right Beltway Bandits -- not about how well your product tests in the field. When success is based on how much favor you curry and whose back you will scratch when she takes retirement, it's very predictable that smaller companies would resort to adding high-level military folks and retain lobbyists.

It's the game. If you want to bitch about something, then bitch about how things get done in the halls of government. These companies are only trying to accelerate their growth. You can't blame them for that. They are just doing their jobs.

Don't hate the playas. Hate the game.

Mike Rothman is president of Securosis and author of "The Pragmatic CSO." Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.