Way back in 2004 Rich wrote an article over at Gartner on the serious issues plaguing Oracle product security (the original piece is long down, but here is an article based on it). It lead to a moderately serious political showdown, Rich flying out to meet with Oracle execs, and, eventually, their move to a quarterly patch update cycle (due to the botched patch, not Rich’s article). This week, Oracle’s 25-year veteran CISO Mary Ann Davidson published a blog post decrying customer security assessments of their products. Actually, let me rephrase, she pretty much threatened them with legal action for evaluating Oracle products using tools that look at the application code. Then she belittled security research in general, informed everyone to trust them since they find nearly all the bugs anyway (not that they seem to patch them in a timely fashion), and… you get it.
Then, and this is the best part, Oracle pulls the post and basically issued an apology. Which, like, never happens.
Thus you probably don’t need us to tell you what this Firestarter is about. The short version is the attitudes and positions expressed in that post are very much in line with Rich’s experiences with the organization, and Mary Ann, over a decade ago. Yeah, this is a fun one.