Hack to the future

Oracle not only has a chief security officer, it also has a chief hacking officer.

"His name's Howard Smith. He's British and, like many Brits, he has a combination of very good technical skills, cynicism and slight criminal tendencies," says his boss, Oracle CSO Mary Ann Davidson. She adds that his title is discretionary, "but he asked for it".

Davidson says such traits are great virtues for someone in Oracle's in-house security testing team. "He's someone who is curious and wants to break in."

The in-house hacking skills of the database and enterprise application firm have been in great demand since November 2001, when the company's flamboyant and outspoken CEO, Larry Ellison, declared at Comdex that its software was so secure it was "unbreakable".

Davidson, who started in the CSO job just a month after Ellison's remark, admits her first response was "This is a joke". Few in the industry believed it at the time and subsequent publicity of vulnerabilities in Oracle products aren't likely to have increased credulity. British security firm NGS Software's revelation in February of a buffer overflow in releases one and two of Oracle's flagship 9i database quickly had Oracle issuing patches.

As soon as Ellison said the magic word hackers worldwide took up the challenge. Oracle says it's been successful at living up to the claim, saying no systems have been brought down, but patches suggest that its products aren't quite unbreakable.

Davidson's response is that "unbreakable" isn't so much a definitive term as a spur for excellence in security at Oracle.

Something like "pretty darned good security" wouldn't have motivated staff or impressed customers as much, she says.

Davidson, whose has been at Oracle 14 years but was once a US Navy "sea bee", meaning a construction specialist, has set about changing the culture to one in which security is paramount.

Developers are now trained to build security into code from day one. The notion that security can be "bolted on" after installation is outdated in today's world, where many applications are delivered over the internet, she says.

"Before products ship, the owner of the bill of materials used in compiling it has to complete a checklist and if we find something, we fix it before it ships."

Davidson has overseen the introduction of a formal process for handling vulnerabilities.

"It's not dependent on the judgement of the person in charge of that particular project," she says.

Criteria are punched in, the security test happens and out comes a number.

"If it's above a certain threshold and there's no workaround, we'll do one-off patches. If it's a smaller problem, we'll put it in the next patch set."

Patch sets are regular changes sent out, mainly for non-security issues.

Alongside this, 15 independent security tests, some internationally recognised, are applied to all Oracle products.

Davidson relishes her job and says being one of the few women working at high level in IT security isn't a concern.

"I was one of the few women in my specialty in the navy, so it's never been an issue."

Watson travelled to Sydney to interview Davidson courtesy of Oracle.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ComdexOracle

Show Comments