Oracle to 'sinner' customers: Reverse engineering is a sin and we know best

Opinion: Stop sending vulnerability reports already. Oracle's chief security officer wants to go back to writing murder mysteries. [UPDATED]
Written by Charlie Osborne, Contributing Writer

[UPDATED 18.15GMT: Updated with Oracle statement]

Is this even real?

When I first read an online rant by Oracle chief security officer Mary Ann Davidson, I pinged the software provider's PR, asking if the blog post was legitimate. While I'm yet to receive a response, the CSO's apparent commentary does make for an eyebrow-raising read.

Taking a cursory look at social media, I do not appear to be the only one this afternoon absorbing her words of wisdom while switching between copious amounts of eye-rolling and outrage and laughter.

Yesterday, Davidson took to the Oracle corporate blog to pen her thoughts on security. Titled, " No, You Really Can't," the essay [Editor: Oracle has unpublished the post, but the full text is available below.] -- or perhaps interpreted as a wine-fuelled ramble -- waxes less-than-eloquently on the uphill battle Oracle has between maintaining decent security (-cough-) and battling against their nefarious customers who insist on making the job harder by reverse-engineering.

Those meddling kids.

To start with, Davidson laments that she would rather be writing murder mysteries then telling off customers who insist on reverse engineering Oracle software code to find vulnerabilities, but alas, the CSO's job is never done. Davidson writes:

"Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. > This is why I've been writing a lot of letters to customers that start with "hi, howzit, aloha" but end with "please comply with your license agreement and stop reverse engineering our code, already."

In other words, stop trying to find security holes which not only pull down the overall quality of Oracle products -- and potentially the safety of any data you own relating to the use of said product -- and just let the Oracle professionals deal with it. In fact, as Davidson says below, leave our system alone and use your time to focus on securing your own programs, which may not be up to par.

"I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems.

That said, you would think that before gearing up to run that extra mile, customers would already have ensured they've identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down -- in short, the usual security hygiene -- before they attempt to find zero day vulnerabilities in the products they are using."

Taking this argument further, Davidson goes on to say if you want to make sure software you're using is secure, instead of poking holes in it through reverse engineering, just look for the "This is quality!" seals such as Common Criteria certifications or FIPS-140 certifications. Since you can't patch a vulnerability yourself if you find one, simply leave well enough alone.

Not only that, but exploring Oracle code could put you in hot water when it comes to licensing agreements. If a customer uses a static analysis tool to poke about, they are "almost certainly" violating license agreements -- and so Oracle will be coming after you as a customer should you dare reveal a vulnerability to the software vendor.

Most security or scan reports handed over to Oracle by customers are often "not much more than a pile of steaming... FUD," according to Davidson. Since Oracle's licensing agreement includes the provision that customers "may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs," the chief security officer says:

"If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, "static analysis of Oracle XXXXXX"), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf -- reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

The executive isn't happy. Looking at vulnerability reports and chasing after customers who break licensing agreements in disclosing bugs or issues is wasting the security team's time, and Davidson is a little tired of customers reporting flaws.

Well, security researchers could always just sell on zero-day vulnerabilities over the black market or release them online instead, would that be a better alternative to Oracle employees having to write strongly-worded letters against third parties?

"More like, "I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can -- unlike a third party or a tool -- actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100 percent false positive rate so please do not waste our time on reporting little green men in our code. I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise," the CSO writes.

Apparently not. Disclosure is a waste of time, after all. If you dare hire a security consultant to take a look at your business, they too are bound by the Oracle agreement -- and hellfire (well, letters) will rain down should they submit reports either.

After all, if this wasn't the case -- in Davidson's words: "Nanny, nanny boo boo, big bad consultant can do X even if the customer can't!"

The Oracle security chief isn't a fan of "boy band" bug bounty systems either. The CSO continues:

"Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure. Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers.

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3 percent of the problem?"

On this note, 10 percent of vulnerabilities are therefore found by customers, according to the executive. I suppose one-in-ten zero day vulnerability discoveries isn't enough for Oracle, which is irritated at having to growl and snap at customers for prodding their systems. But well done Oracle, 87 percent isn't too bad on your lonesome. We ought to just leave the rest out there, no?

However, after all this, if there is a true security problem then Oracle will grudgingly fix it at some point. Davidson writes:

"Customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren't going to ignore a real problem -- that would be a disservice to our customers.

We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem.

We will also not provide credit in any advisories we might issue. You can't really expect us to say "thank you for breaking the license agreement."

The essay goes on, increasing the tempo in arrogance and a holier-than-thou attitude. But, ad nauseam, Oracle appears to want to make it quite clear the company knows best -- and whether you are hired security help, the three percent of researchers or 10 percent of customers who submit valid security problems, if you know what's best for you, stop reverse-engineering and poking around the source code. Oracle knows best.

But you know, if Oracle's strongly-worded letters are written in Davidson's style, I think I'd quite enjoy the entertainment value.

Update: Edward Screven, Executive Vice President and Chief Corporate Architect told ZDNet:

"The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."

The full text of the post:

No, You Really Can't (Mary Ann Davidson Blog) by Owen

Read on: Top picks

In pictures:

Editorial standards