Litchfield said the company took up to eight months to deliver a series of patches that still did not fix the problem.
He’s not the only one having problems with the software industry. Former White House cybersecurity adviser Howard Schmidt also laid into developers and called on governments to make software developers personally liable for the security of the code they create. He told the SecureLondon 2005 conference that software developers “should be held personally accountable for the security of the code they write.”
But others said we should concentrate on fixing bugs, rather than apportioning blame. “The emphasis should be on resolving flaws at the quality-assurance (QA) testing stage, so they never find their way into the final release of a software product,” said Yochi Slonim, CEO of application testing company Identify.
Gunter Ollmann, director of X-Force, Internet Security Systems, agreed, saying: “Software companies have to refine their QA testing to include security efforts.”
He said the security of software is generally getting better. This was due in part to pressure from researchers such as Litchfield, and the media highlighting problems.
For instance, Microsoft, once viewed as the worst source of insecure products, is now regarded by many as a model of vulnerability handling. It has opened clear channels of communication with security researchers and its code has improved.
But Litchfield said Oracle has much progress to make. “What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA; no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ?”
Simon Perry, vice-president of security at Computer Associates, said the software industry needs to take this subject seriously: “Vendors have a responsibility to work with researchers. This software underpins the economy of the developed world. It has to get better and it won’t do so if you ignore the problem.”