Though Oracle CSO Mary Ann Davidson has lead a push for more secure software, her company has seen its share of...
criticism this year over how long it takes to acknowledge vulnerabilities and issue patches.
That's how she saw the industry as a whole in 2004: Not perfect in its approach to security, but better than the year before.
In an interview Friday, Davidson said the next and most important step is to bake security into the coding culture.
"You see more vendors focusing on the security of their software," Davidson said. "The National Cybersecurity Partnership met last December, and the main discussion was about what we need to do to implement national cyberspace security plans and how vendors can get together and raise the bar. There's a general realization that this affects all of us."
Better security on demand
Davidson believes that realization has been driven by customer demand.
"I see more interest among customers for security assurance," she said. "In May there was a business roundtable -- CEOs from 15 of the nation's largest companies -- and they broadsided the [tech] industry, telling the industry that many of their costliest problems were from poor quality software. They were essentially saying, 'We're mad as hell and we need you to step up.'"
She added: "Microsoft realized security was an absolutely critical issue for them because it's critical to [its] customers. If you know what your customers are doing, that your product is the backbone of their operation, you have that accountability. One reason vendors played the rush-to-market game for so long is because it worked for a long time. I don't think that works anymore. Customers are asking smarter, more pointed questions."
Coding culture must change
Despite this progress, Davidson said there are still serious problems at the development stage. Until that changes, she said the battle will never be won.
"You really need a revolution in the IT industry," she said. "There's still a cultural problem. If engineers built bridges as software developers build software, there wouldn't be a bridge standing. The software industry still doesn't have that mentality. That mental shift has not taken place."
To force a change in the coding culture, Davidson said the answer might be a separate accreditation process focused on software development or other forms of certification to crank up the pressure.
"I don't want to denigrate people who have done marvelous things with software, but they need to focus on security before they do all the wonderful things," she said. "The good news is there are universities out there looking at how they can crank out developers who better understand this."
Oracle's patching challenge
Davidson said Oracle's monthly cycle was never set in stone. "It was widely reported that we went to monthly patches," she said. "What I actually said was that we were moving to monthly and we were. We were thinking monthly because that's what Microsoft was doing. Then questions came up about how quickly you could reasonably do the patching."
In Oracle's case, she said patching is not the same as it is with Microsoft. "It's different to patch the core database that holds your secrets," she said. "There were customers who had never patched because the database was too important to ever touch. It's a huge deal for them to touch their systems. They did not want it to be monthly. It could be a million-dollar process for them. I don't worry about head-to-head comparisons [with Microsoft]. I worry about how to meet the needs of our customers."
In the final analysis, she said a company like Oracle wants to be good at patching because it's easier for customers. "On the other hand, you don't want to get good at it because you never want to become comfortable about patching," she said. "You don't want your software to need patching in the first place."
This article originally appeared on SearchSecurity.com.