Oracle hits back at security critics

Oracle has lashed out against security experts who criticized the company's security record.

The database vendor is "leading the software industry in terms of responsible development and security," charged Eric Maurice, manager for security in Oracle's global technology business unit in a posting on a company blog.

Security researchers in the past weeks have targeted Oracle with multiple studies and blog postings. Both security vendor NGS Software and analyst firm Enterprise Strategy Group (ESG) have published studies comparing the number of software updates in Oracle and Microsoft databases. Both studies found that Microsoft outshone its competitor.

Argentinean security vendor Argeniss last week said that it was planning to organise a 'Week of Oracle Database Bugs'. The company said it would release details of one unpatched security vulnerability every day for one week to demonstrate the poor level of Oracle's database security. The company has since suspended the event.

Oracle's Maurice wrote his blog posting in response to "articles and blog entries", but didn't specifically mention the ESG, NGS Software or Argeniss cases.

However he appeared to address the NGS Software and ESG studies by claiming that others were "trying to play the number game" and countered that the database vendor won't let "external perception drive our security policies".

He touted the company's support for the Common Vulnerability Scoring System, a relatively new standard that provides an independent way of rating the severity of security flaws. The programme is headed up by Cisco, while Microsoft is famously absent from its supporter list.

Indirectly lashing out at Argeniss, Maurice described researchers who published zero day exploits as irresponsible.

Rich Mogull, a research vice president with Gartner who heads up the firm's Information Security and Risk practice, said that the blog posting was mostly a public relations move.

While he agreed with the database vendor that disclosing zero day vulnerabilities is irresponsible, he told vnunet.com that the vendor's claim that it is "leading the industry in terms of responsible development and security" is overblown.

"I would not say that Oracle is an industry leader yet. They need to mature as an organisation in how they manage these vulnerabilities," Mogull told vnunet.com.

"Oracle is putting practices in place, but they definitely aren’t as far along as some of the others."

He also pointed out that there hasn't yet been a large scale attack targeting Oracle databases. If such a worm would surface however, it could cause major damage to corporate data or erase it altogether.

Customers are telling Oracle that they are dissatisfied with the firm's security record and the large number of patches it releases, but they aren't yet switching to competing products, Mogull added.

"If customers start buying other products, that would cause Oracle to change very quickly."