Oracle Blows it Again

  • Article

This was posted on eWeek today.

Researcher: Oracle Passwords Crack in Mere Minutes
Attackers can easily crack even strong Oracle database passwords and gain access to critical enterprise data because of weak password protection mechanisms, researchers have warned.

<www.eweek.com/article2/0,1895,1878935,00.asp>

You can follow the link to read the entire story. The bottom line is Oracle is once again embarrassed by a security flaw. The article mentions the retired marketing tag line, "unbreakable", that Oracle was using a while back. I just don't get why companies feel the need to tout security. This is just like walking in to a cave and poking a sleeping bear with a big stick. Why? There's nothing that hackers like more than a challenge. Oracle isn't the only company to do this. We've been guilty of it as well. I just don't get it.

During the development of SQL Server 2005 we spent a considerable amount of time on security. Does this mean it’s 100% hacker proof? Probably not. After all, it’s software and we’re human. But we’re way ahead of Oracle. We have processes, policies, tools, and training for dealing with developing secure software. When slammer first hit, it was disastrous, but at least we got it fixed quickly and on the first attempt. In addition, it forced us to wake up and see the importance of secure software. How many Oracle patches does it take to actually fix the original problem? The simple answer is usually more than one.

 

Microsoft has raised the bar, but not enough companies are following our lead.

 

What I really want to see is the user community (the Enterprise IT community) stand up and say “we’re not going to stand for it any longer”. Vote with your dollars. If a company doesn’t have formal processes for developing secure software, take them off your AVL (approved vendor list). If a company doesn’t have an automated mechanism for distributing fixes, take them off your AVL. This is the only way that ISVs are going to get the message that they have to take seriously the development of secure software. As long as customers are willing to buy insecure software there is zero incentive for ISVs to build secure software. Increase the value of secure software and ISVs will be producing more secure software in no time.