Thursday, September 8, 2011

Mary Ann Davidson on Security Auditors

Mary Ann Davidson, Chief Security Officer at Oracle, has just published an outstanding article, Those Who Can't Do, Audit, on companies that are now offering static code analysis as a service and why Oracle won't be turning over any of our code to them. Here at Oracle, security is a core part of every product.

While I do work in the Oracle Solaris Security team, we work on software that are typically seen as performing a security based services. For example, I work on the Oracle Solaris Cryptographic Framework - we provide hardware optimized cryptographic algorithms to applications and the rest of the operating system. A pretty standard security function. But, secure coding standards, in-house static analysis, and security considerations need to be a part of the development of the entire operating system.

I think Ms. Davidson said it best: "Oracle cannot – does not – outsource security."

This post is syndicated from Thoughts on security, beer, theater and biking!

1 comment:

  1. That's an interesting article, and it made me wonder, especially when reading between the lines. While I expect they'd be looking to do rather more than conventional static code analysis, I hope Oracle doesn't think of the NSA and CESG as "SASO" and is prepared to provide code and assistance to these organisations as required - otherwise, that's rather a lot of Government business which will be going elsewhere...