Backing Up Oracle's "Unbreakable" Vow
By Alex Salkever
Mary Ann Davidson is one cool customer -- but she has to be. As chief security officer for database and business-software giant Oracle, her job is making sure that its programs live up to the "Unbreakable" claim that's at the center of an ongoing marketing campaign. The pitch, a favorite of Oracle CEO Larry Ellison, seeks to convince customers that Oracle software will foil any and all cyberattacks.
As Davidson well knows, such claims are anathema in the information security community, where consensus holds that any piece of software, no matter how secure, can be cracked. The boast has attracted a huge spike in hacker attacks against Oracle's Web site. The company claims that so far, none have been successful. However, security researcher David Litchfield recently announced that he found a vulnerability in Oracle's application-server software in December, 2001.
Davidson, one of a handful of women occupying a high rank in the information security universe, is unfazed. She started her career as a civil engineer working with the Navy Seabees and has spent the past 14 years with Oracle, where she ascended to the CSO slot in December. On Jan. 11, she spoke with BusinessWeek Online Technology Editor Alex Salkever. Here are edited excerpts of their conversation:
Q: So how did Larry Ellison convince you to sign off on the "Unbreakable" promo campaign? I would be terrified as a chief security officer to do that. A:
Q: So how did Larry Ellison convince you to sign off on the "Unbreakable" promo campaign? I would be terrified as a chief security officer to do that.
A:He decided to run "Unbreakable" before I started as chief security officer, so I have an easy out. Larry has said publicly that when he first proposed "Unbreakable," the biggest pushback he got [inside the company] was from the server technologies group, which includes my group.
Calling your code "Unbreakable" is like having a big bull's-eye on your products and your firewall. Obviously, nobody wants to be a target. But when we thought about it, we thought what does "Unbreakable" really speak to? It speaks to product assurance. I stand behind that commitment and our products.
Q: Do you really think the product is "Unbreakable," or is it just a lot less breakable? A:
Q: Do you really think the product is "Unbreakable," or is it just a lot less breakable?
A:Well, think about what the opposite of "Unbreakable" would be: "Our products can be broken into, and we don't care." Look, our core customers are among the most security-conscious in the world. I respectfully and somewhat lovingly refer to them as the professional paranoid. I'm not allowed to say who they are, but you can guess.
Even if we don't do things perfectly but we do it much better than our competition and customers purchase Oracle on that basis, you will see the overall level of security improve in the industry. "Unbreakable" gives us something to live up to. It really does concentrate the mind wonderfully. The general thought is don't embarrass the company. Nobody wants to be the group that makes us violate it.
Q: When did Ellison start to become interested in the idea of securing things and making security a chief concern? A:
Q: When did Ellison start to become interested in the idea of securing things and making security a chief concern?
A:He has always been concerned about it, and he has always been very knowledgeable about it. He knew that we had a security group, and he knew what we built, down to a fairly technical understanding of the product. But I think "Unbreakable" is a reflection of a big change. [It used to be] security was something that only the professional paranoid worried about. Now with the growth of the Internet, security is something that everyone now has to be concerned about. You must admit, from a marketing standpoint, it has a punchy sound. It's a lot better than "Pretty Darned Good Security."
Q: How did Oracle go about securing its products? What did you do differently? A:
Q: How did Oracle go about securing its products? What did you do differently?
A:Not that much different, actually. We used the same processes we have used before in terms of putting secure programming and development standards in place. We are being more stringent and, dare I say, draconian, in making sure people adhere to coding standards and product check-off lists before we ship products.
Q: Tell me more. A:
Q: Tell me more.
A:In addition to having coding standards, we make every group that owns a line item in our product components complete a questionnaire that is geared toward making sure we avoid the top 15 stupid security mistakes companies get burned on. Some of the check-offs are on the propeller-head level, like checking for buffer overflows [a security vulnerability where a hacker can overload an entry field with characters, causing a computer to crash and possibly allowing cyberintruders to break into the system]. Something like 80% of all security vulnerabilities published have to do with buffer overflows.
The check-offs go down to things like forced password changes for default accounts. [While] a lot of it is Security 101, some of it is more technical. With those lists, it's 100% compliance. We are not going to allow any deviation at all.
Q: What do you think are the broad lessons the software industry could learn from your experiences at Oracle and with "Unbreakable"? A:
Q: What do you think are the broad lessons the software industry could learn from your experiences at Oracle and with "Unbreakable"?
A:You can't slap it on at the end. If you don't commit to a secure product [throughout its entire life cycle], you can't engineer it in at the end and expect to have secure products.
Q: What are the three most important steps any company can take to build more secure software? A:
Q: What are the three most important steps any company can take to build more secure software?
A:The line in real estate is "location, location, location." In security, it's not as straightforward but it's the same idea -- "culture of security, culture of security, culture of security." If you don't maintain a corporate culture that puts security as an important thing, you can't convince your developers to make your code as bulletproof as possible.
Q: Has security sealed any deals for you with people who were sitting on the fence? A:
Q: Has security sealed any deals for you with people who were sitting on the fence?
A:Absolutely. You have seen our marketing campaigns from the past. I was joking we should run one that said two out of three e-paranoids run on Oracle.
Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online
Edited by Douglas Harbrecht