« Show 023 - An Interview with Chris Wysopal
Show 025 - An Interview with Jon Swartz »

Show 024 - An Interview with Mary Ann Davidson

Mary Ann Davidson

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

 
icon for podpress  Show 024 - An Interview with Mary Ann Davidson [28:45m]: Play Now | Play in Popup | Download

This entry was posted on Friday, March 14th, 2008 at 2:26 pm and is filed under Shows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Show 024 - An Interview with Mary Ann Davidson”

  1. Andrew van der Stock Says:
    March 31st, 2008 at 10:18 am

    Gary,

    Good interview.

    The discussion on being unable to develop trust relationships with contractors who release exploits was interesting, and I wished that there was more discussion on that point. I would have thought signing a contract made it easier to sue for breach of contract than untested laws (or bad laws like the UK’s RIPA), so much so you’d really think twice as well as the negative downside of being considered untrustworthy with confidential data - which is like a plague to any consultancy business.

    I really wish Ms Davidson had gone into detail on their SDL, as to what is really in there, and where we could read it and review it.

    Oracle’s is an interesting turn around considering back in 2005 / 2006, the research community and Oracle’s relationship was at an all time low, essentially begging Oracle to put in an SDL and address the security defects properly without outside folks finding them first.

    I have since read that fences have been somewhat mended between researchers, such as David Litchfield, and Oracle. I still wince at that episode - it was entirely unprofessional of Oracle to attack Litchfield, who was practicing responsible disclosure for up to 600-800 days, when 30 is the norm. I personally was extremely unimpressed with Oracle’s approach of shooting the messenger rather than fixing the product.

    I must admit that episode led me to dismiss Oracle as the walking dead as they obviously couldn’t be trusted with data of value, and so didn’t follow news about Oracle … until this interview.

    I’m glad they’re now using automated SCA tools and fuzzers, they’re now finding most of the security issues themselves, have an internal review team, and my personal favorite - developer awareness / education. This is a 180 degree turnaround from the prior to 2005/2006 era. I particularly like that she’s going to the universities and ask them to teach coding security. This is what they SHOULD have been doing rather than attacking the research community.

    I’m glad that Oracle is now drinking the kool aid and treating security as a fundamental software engineering requirement. It’s about time.

    thanks,
    Andrew van der Stock
    Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10

  2. Mary Ann Davidson Says:
    March 31st, 2008 at 10:23 am

    Hi Andrew

    A few comments below.

    Andrew van der Stock wrote:

    Gary,

    Good interview.

    The discussion on being unable to develop trust relationships with contractors who release exploits was interesting, and I wished that there was more discussion on that point. I would have thought signing a contract made it easier to sue for breach of contract than untested laws (or bad laws like the UK’s RIPA), so much so you’d really think twice as well as the negative downside of being considered untrustworthy with confidential data - which is like a plague to any consultancy business.

    Realize that contracts cannot create trust - they proscribe performance, and remedy for non-performance. That’s it.

    There have been instances of people breaching NDAs on disclosure related to vulnerabilities and the nuance of the fact that a vendor was trying to enforce confidentiality was lost in the media circus. Hence, a matter of contract enforcement becomes “big bad mean old vendor picks on noble security researcher.” Which was to my point about, “if you don’t trust someone, contracts will not create trust.”

    Consider that some researchers’ business model is tied to PR related to “outing” vendors and “showing proof of concept/exploits.” Saying nice things about vendors does not generate PR. And I also know of a large vendor who used an NDA (and a big fat contract) to gag one of their more vocal critics.

    Which means that one should be careful about automatically believing what researchers say about vendors - both good and bad - unless they (the researchers) are willing to disclose when/if they are on someone’s payroll or have a contractual relationship. It does not necessarily mean that they are wrong but this kind of “full disclosure” does give the reader a chance to think about whether the source is tainted or is influenced. For example, consider that journalists disclose whether or not they are a shareholder in companies they write about (to avoid the appearance of a conflict of interest). I think the same principle should apply to researchers.

    I really wish Ms Davidson had gone into detail on their SDL, as to what is really in there, and where we could read it and review it.

    We have material on our web site on this. Obviously, our time was constrained in the interview to go into details.

    Oracle’s is an interesting turn around considering back in 2005 / 2006, the research community and Oracle’s relationship was at an all time low, essentially begging Oracle to put in an SDL and address the security defects properly without outside folks finding them first.

    Our metrics show that the vast majority of defects we find - it has not changed much since we started keeping the metric. Which leads to an interesting problem: vendors get slammed for “numbers of vulnerabilities” when they do release, even though a number of those issues may be things they found themselves and are fixing because they believe it to be in customers’ best interests.

    So, anyone can make their numbers look good by underdisclosing. Or not looking for issues, themselves. And given there is no accepted definition of “how to count security bugs (is a one line code change that fixes 20 issues 1 bug or 20 bugs? what if it is not exploitable?)) you can see that “the numbers game” is a dangerous one to play. The (perverse) incentive is to “game” the metric.

    I have since read that fences have been somewhat mended between researchers, such as David Litchfield, and Oracle. I still wince at that episode - it was entirely unprofessional of Oracle to attack Litchfield, who was practicing responsible disclosure for up to 600-800 days, when 30 is the norm. I personally was extremely unimpressed with Oracle’s approach of shooting the messenger rather than fixing the product.

    I think this is not a fair comment and I’d be happy to explain in person some time. I agree that the long term answer is to give critics nothing negative to say about one’s product that is accurate.

    And I also tell my team that basic good business 101 is to have good, consistent comms with researchers. We’ve tried to do that.

    I must admit that episode led me to dismiss Oracle as the walking dead as they obviously couldn’t be trusted with data of value, and so didn’t follow news about Oracle … until this interview.

    Without naming them, I can say pretty confidently that customers who keep significant secrets keep them in Oracle. We work hard to earn and keep that trust.

    I’m glad they’re now using automated SCA tools and fuzzers, they’re now finding most of the security issues themselves, have an internal review team, and my personal favorite - developer awareness / education. This is a 180 degree turnaround from the prior to 2005/2006 era.

    We have had many elements of a secure development lifecycle as long as I have worked in security at Oracle (since 1994) to include formal development process with security as an explicit element of design, functional, test. Also, extensive security regressions (thousands of tests - and we can turn every “normal” regression test - 250,000 of them - into destructive security tests). Outside “product security vetting” has been part of this, as well.

    We continue to invest in looking at what we can do more, broader and better. Automated tools are not a panacea but if you have 63 million lines of code in ONE product and have thousands of products, they are a godsend.

    I particularly like that she’s going to the universities and ask them to teach coding security. This is what they SHOULD have been doing rather than attacking the research community.

    I will be - very soon - publishing my letter to universities as an OPEN letter to ALL universities and asking vendors to join me in pushing universities to help fix our supply chain problem. Customers want more secure/higher security-worthy product? So do I.

    I want “a secure educational development lifecycle” in universities, so the supply chain (CS/EE grads) we - the vendor community - get are “more secure.” That would be in everyone’s interests.

    I’m glad that Oracle is now drinking the kool aid and treating security as a fundamental software engineering requirement. It’s about time.

    Thank you -

    Mary Ann

  3. Stephen Craig Evans Says:
    April 8th, 2008 at 3:35 pm

    Gary,

    Great interview. You’ve had some powerhouse interviews recently, for example with Chris Wysopal (”my dream is that a static tool can fix business logic flaws”) and Ed Amoroso (”security researchers are the bomb defusers of the Internet”).

    I laughed at your blunt comment: “that would be great (everybody doing software assurance in 5 years) but also impossible”.

    I never owned an MP3 player until last November and since then I have it wherever I go, loaded up with Silver Bullets and podcasts from ITConversations. I’ve learned so much since then that it’s almost unbelievable.

    I can even measure the amount of software security I am learning by going back and re-listening to the older Silver Bullet episodes.

    Andrew, in addition to your points:

    * I liked her self-deprecating humor when she talked about her coding skills
    * I think she made a justified, underhanded jab at the appsec community to make our stuff easier to use when she said:
    (At 4m 55sec) “There are a lot of people who are very well-intended and very sharp who come up with laundry lists of 8000 good things that we should do in security and all these things we should be doing and all these metrics - and that’s all great, but then … what is the benefit for the cost of getting that information?” and “the do-gooders, and in this case I mean it in a good sense, need to do is to help people figure out what are the most important things to do first so that they’ll get the biggest bang for the buck”.
    * I liked her point, using a military analogy, is that products should be self-defended.

    Cheers,
    Stephen

  4. Andy Murren Says:
    April 8th, 2008 at 4:07 pm

    Gary,

    Great interview with Mary Ann Davidson. Some really good information and engaging dialog. I was impressed by her analogy of the Anglo-Zulu War and her general military knowledge. Not bad for a Navy person :)

    Andy

Leave a Reply