24th episode of The Silver Bullet Security Podcast.
Interview with
Mary Ann Davidson (CSO of Oracle)
CSO does focus on product security, specifically engineering security on the product development cycle.
MBA helps:
In ~2002 NIST study, the costs of bad software is about 60 billion per year - people pays for bad security.
There are a lot of people who are very well-intended and very sharp who come up with laundry lists of 8000 good things that we should do in security and all these things we should be doing and all these metrics - and that’s all great, but then … what is the benefit for the cost of getting that information?
What can I do with the same resources that provide higher pays off?
Measurement!
Disclosure is almost like a religious discussion, it is not about what I have to do to look good in eWeek this week.
we use outside firm from time to time, i'm not against outsource
we hard hard time to ack M$ & sun about Java vulnerability
I'll be very surprise if vendor nowadays does not reach when ppl inform about vulnerability
unbreakable campaign: most ppl who work in security say "hey what you are doing"
It wasnt my idea
It was a very strong statement
we have a prove points... we spent gazillion of dollar on testing... our competitors did nothing...
at the end it was positive
oracle approach on the evolution of security:
there are many things that we have now that we didnt have.
simply common criteria is not enough
we use more automated tools (bc we HAVE automated tools)
we license a few things
even the greatest developers who recheck their code to remove flaws can miss a flaw, what we going to do? yell a them? ask them for perfection? no!
automated tool might have found what we missed...
security development cycle
every single product, whether we develop or acquire has the same consistent process
if you device bugs and flaws, we have 50-50
our first customer was CIA, we build security embedded in our products 30 years ago
top best practice:
every body has to get secure coding practice - bc we dont get this in univ
vendor has to go back to univ to force them to teach secure coding!
Oracle sent letters to top 10-15 Univ where the new hires come, and telling "look it costs us & customer a lot of money to fix Avoidable & Preventable defects the key word are "avoidable" and "preventable".
the reason: ppl we get from Univ dont know these stuff!!!
you cant really test security, but at least you get out of junk from you code
if we have product which can self defended (as marines are marines first, they can defend them selves) - we will be in a better position.
lenght: 28:45m
Labels: cissp, security