Since it was first disclosed, I’ve been talking to lots of folks about the Oracle “TNS poison” vulnerability that’s out there.
Mostly, the talk has been focused on understanding the risks and implementing appropriate workarounds. But there seems to almost always come a time in the conversation when someone asks, “How can this be?”
It’s stunning to consider that Oracle sat on this issue for so long. It’s a critical vulnerability that fully compromises any Oracle database. It’s easy to exploit, requires no authentication, and it’s almost undetectable using built-in database features. But through the years and through a major database release, it remained unfixed and under wraps.
Usually “How can this be?” morphs into “How do they get away with it?” That’s where I start thinking about pointing that finger. Who is to blame? Why can Oracle get away with this approach to securing their $12 billion-a-year database platform?
But the more I think about it, the more I think it is your fault. Yup, I’m talking about you, sitting there, reading this. Particularly those of you working at shops with racks of servers running Oracle software in your data centers. It’s (mostly) your fault.
If you’re still reading, you’re probably wondering how I’ve arrived at such a ridiculous position. Let me explain my rationale. When it comes right down to it, Oracle runs a business just like any other. They are accountable to their shareholders to use their resources to drive revenue and profit. Like any well run business would, Oracle responds to their customers’ needs and demands — delivering the features, functionality and reliability database and application owners demand. In that context, as someone who owns Oracle software, ask yourself, what do you demand?
I keep asking people if, after hearing the TNS poisoning story, they will stop using Oracle. The response is always the same. The way people look at you when they’re thinking you’re crazy, that’s the response I’ve been getting. Nobody is refusing to do business with Oracle until they get their act straight on the security front (OK, I’m sure there is somebody, we just haven’t spoken yet).
If you’re still buying from Oracle after all the years of massive security holes that take forever to get fixed, then are subsequently downplayed with artificially low-risk rankings, well then, I think you are the problem.
One thing Oracle is, is a well-managed company. There is no question about it. Larry Ellison and his crew can really run an enterprise, can go head-to-head with any competition, and all have earned their personal fortunes as a result of their keen business sense. It’s that business sense that tells them their current security investment and process is the right one.
For that to change, the market must make it change, and that happens one customer at a time. Tell Oracle you want a more secure product. Tell them you want to see them publish a timeline for how long every vulnerability reported to them took to fix. Tell them you want them to hire a well-known third-party security expert to examine their source code for vulnerabilities, and then publish an independent report on their findings. Tell them that you’re going to take the next year to look for an alternate database platform, and if they don’t improve to meet your security needs during that time, that you’ll be ready to give your money to someone else.
If you start doing that, you’ll see a change, and you’ll see it quickly.
You, the customer, have all the power in this relationship, but you aren’t exercising it. It’s like a game of poker played with the cards face up, but you’ve got a full house and they’ve got a pair of deuces…and yet you are still folding every time.
Oracle has the skills and resources to solve their security problems if they want to. Make them want to. No, make them need to, and then they will.
This problem is in your hands people. Please go solve it.
Josh Shaul is CTO of Application Security Inc., which makes database security products.