Last updated: Yesterday, 15:36
Companies Oracle software use and want to make sure there should be no security problems exist to stop this through reverse engineering, since they violate the license agreement in this case. This enables Mary Ann Davidson, Chief Security Officer, Oracle.
In an extensive blog post gets Davidson forward to reverse engineer Oracle products through scanners, tools or consultants. Customers do not have the source code for Oracle, but through reverse engineering the operation of the code can still be traced. Subsequently, security issues can be found in this way. According to the CSO Oracle itself conducts this kind of control of the code.
The software is therefore not wait for the scan reports from customers who have similar tools or consultants to analyze the code. If the company receives such reports and if it appears that the scan results have been obtained through reverse engineering, then Oracle sends a letter that the customer is in violation and must stop. In contrast to the control itself should look customers to certification and audit programs or the software does have the act together, says Davidson.
Reward
The CSO also addresses the pay researchers for bug reports. More and more companies are implementing so-called “bug bounty” programs. Researchers who find vulnerabilities and then this report will be rewarded. According to Davidson finds Oracle 87% of the vulnerabilities themselves, while 3% is discovered by security researchers. The remaining 10% will be found by customers.
“Why would I be a lot of money to spend 3% of the problem, if I money for better prevention can be used, or a new employee is hired to develop a good tool, “says Davidson. She hopes the blog posting also discussions with customers that they have to avoid violating the license agreement. “I spend my time and that of my team rather to improve our code, to discuss with people about the license agreement.” The statements Davidson now has been intense reactions to Reddit.
Update 15:36
Davidson has its blog post now been removed. An archived version is still available online.
No comments:
Post a Comment