Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/5/2011
03:04 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Don't Hate The 'Playas' -- Hate The Game

If Oracle wants to bitch about anything, it should bitch about how things get done in the halls of government -- Veracode is only trying to accelerate its growth

Per usual, there was angst and bruised egos in the security business over the past week. Who needs daytime TV when you can just follow the security industry via Twitter? It seems Oracle's CSO, Mary Ann Davidson, wrote a pretty inflammatory post decrying the need for static application security testing (SAST) services, or lack thereof, if a company is "too big to test." I wonder who she's referring to?

The post was a thinly veiled poke at Veracode for its continued efforts to get security "built in" to some federal legislation. The Veracode guys posted a pretty even-keeled response pointing out with data the issue we are all facing as security practitioners. That's the reality that most organizations crank out insecure code, which opens up trivial attack paths.

So let's just be very clear that more testing is better than less testing. Oracle (like Microsoft) has made great strides in its software security programs, but no organization is perfect, and it's critical for every end customer to make sure his technology platforms does not create exposures to its critical data. Given the continued attacks on security infrastructure (EMC/RSA, Comodo, and DigiNotar come to mind), security professionals must question not only their own infrastructure and in-house applications, but also the third party technology they buy. I don't see how SAST is contrary to that goal.

But that's not what's got me Hacked Off this month. It's Mary Ann's clear disdain for Veracode using a lobbyist to push its agenda in the halls of Washington, D.C. The implicit goal of hiring any lobbyist is to have favorable guidance and/or regulation that furthers a company's goals. In Veracode's case, it would love to get SAST to be a requirement for applications built and used by the U.S. government. To be clear, what's the issue with that?

I understand that Oracle would be open to more disclosure than it would like if SAST becomes a requirement for COTS (commercial off-the-shelf) software purchases. It would cost them more money, perhaps extend their development time lines, and force them to be accountable regarding bugs in its software that put government data at risk. The problem with that is what? We all know security by obscurity is a path to nowhere.

It's not like every other big IT company doesn't have lobbyists trolling the halls of Washington, D.C., to push their agendas. They do. Even Oracle. Maybe not about security, but when you have an "unbreakable" database, who needs to lobby on security, eh? Yeah, I couldn't resist. I guess you need to be a billion-dollar IT concern to warrant lobbyists? That's hogwash. I considered hiring lobbyists in at least two of the companies I worked for, neither of which did more than $100 million a year. We needed the visibility in D.C., and that's the way to get it. That's the game.

I wonder how many small company advisory boards Mary Ann Davidson sits on with former three- or four-star retired generals. Why does she think they are there? Because of their ability to defend the boardroom if a competitor launches a full frontal assault during a board meeting? Not likely -- they want the Generalisimo to make a few phone calls and hopefully get the company on the short list for a big contract. That's the game.

Remember that's how business gets done, at least in the military-industrial complex. It's about who you know, not what your product does. It's about how well you can navigate the contract vehicles and set up relationships with the right Beltway Bandits -- not about how well your product tests in the field. When success is based on how much favor you curry and whose back you will scratch when she takes retirement, it's very predictable that smaller companies would resort to adding high-level military folks and retain lobbyists.

It's the game. If you want to bitch about something, then bitch about how things get done in the halls of government. These companies are only trying to accelerate their growth. You can't blame them for that. They are just doing their jobs.

Don't hate the playas. Hate the game.

Mike Rothman is president of Securosis and author of "The Pragmatic CSO." Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.