Oracle comes clean over removal of caustic blog
Post criticising customers and consultants for scanning its code for vulnerabilities went too far, Oracle admits
Oracle has spoken out about why it removed a spiky blog post urging customers not to search its code for vulnerabilities, effectively admitting the missive went too far.
The vendor today mysteriously pulled the plug on the colourful and controversial post – penned by its chief security officer Mary Ann Davidson – fuelling widespread speculation on Twitter that the blog may have been hacked.
In it, Davidson revealed Oracle is clamping down on end users and consultants who "reverse engineer" its code in an effort to uncover security vulnerabilities, saying the practice breaches Oracle's licensing terms.
The expansive post, entitled "No, you really can't", was also critical of "bug bounties", where software vendors throw money at researchers to find problems in their code. Davidson claimed Oracle does not need the help, arguing it is "pretty good" at analysing its own code.
Visitors to the blog, which was published yesterday, were greeted with a 404 error message from about lunchtime today, although the full version can be viewed at the bottom of our earlier story here.
In a statement sent to CRN and attributed to executive vice president and chief corporate architect Edward Screven, Oracle this evening moved to clear up the reasons why it had decided to pull the post.
"The security of our products and services has always been critically important to Oracle," Screven said.
"Oracle has a robust programme of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."
The blog earned the ire of the Twittersphere and was also criticised by Bob Tarzey, an analyst at Quocirca, who argued that Oracle should be actively encouraging customers to find vulnerabilities in its code at a time when ERP systems are increasingly coming under attack.
Alexander Polyakov, chief technology officer of ERPScan, a company which specialises in helping customers find vulnerabilities in SAP and Oracle, was also critical of the blog.
Polyakov told CRN this evening he has personally found more than 30 issues in Oracle applications and that uncovering issues with the vendor's code is "much easier than you may think".
"Oracle is not just a vendor, it's the vendor whose software is installed in almost every Fortune 2000 company, and our lives depend on their solutions' security," he said.
"Nuclear power plants, manufacturing, banking – name anything and you will find either Oracle or SAP or both systems, which manage mission-critical processes. When this kind of vendor is telling you they don't need any help from external researchers, in terms of vulnerability findings, well, this world is too dangerous."