News Stay informed about the latest enterprise technology news and product updates.

Oracle CSO: Security must be baked into coding culture

Mary Ann Davidson said 2004 was the year software vendors saw the light on security. Now the industry must make developers see it too, and the accreditation process can be used to apply pressure for change, she says.

Though Oracle CSO Mary Ann Davidson has lead a push for more secure software, her company has seen its share of criticism this year over how long it takes to acknowledge vulnerabilities and issue patches.

After releasing

If engineers built bridges as software developers build software, there wouldn't be a bridge standing.

Mary Ann Davidson,

Oracle CSO

patches when needed and then, briefly, monthly, the tech giant eventually settled on a quarterly patching schedule, a move based on customer feedback. The solution isn't perfect, Davidson admits. After all, the key is to produce software that doesn't need patching in the first place. But it was a step in the right direction.

That's how she saw the industry as a whole in 2004: Not perfect in its approach to security, but better than the year before.

In an interview Friday, Davidson said the next and most important step is to bake security into the coding culture.

"You see more vendors focusing on the security of their software," Davidson said. "The National Cybersecurity Partnership met last December, and the main discussion was about what we need to do to implement national cyberspace security plans and how vendors can get together and raise the bar. There's a general realization that this affects all of us."

Better security on demand

Davidson believes that realization has been driven by customer demand.

"I see more interest among customers for security assurance," she said. "In May there was a business roundtable -- CEOs from 15 of the nation's largest companies -- and they broadsided the [tech] industry, telling the industry that many of their costliest problems were from poor quality software. They were essentially saying, 'We're mad as hell and we need you to step up.'"

She added: "Microsoft realized security was an absolutely critical issue for them because it's critical to [its] customers. If you know what your customers are doing, that your product is the backbone of their operation, you have that accountability. One reason vendors played the rush-to-market game for so long is because it worked for a long time. I don't think that works anymore. Customers are asking smarter, more pointed questions."

Coding culture must change

Despite this progress, Davidson said there are still serious problems at the development stage. Until that changes, she said the battle will never be won.

"You really need a revolution in the IT industry," she said. "There's still a cultural problem. If engineers built bridges as software developers build software, there wouldn't be a bridge standing. The software industry still doesn't have that mentality. That mental shift has not taken place."

To force a change in the coding culture, Davidson said the answer might be a separate accreditation process focused on software development or other forms of certification to crank up the pressure.

"I don't want to denigrate people who have done marvelous things with software, but they need to focus on security before they do all the wonderful things," she said. "The good news is there are universities out there looking at how they can crank out developers who better understand this."

Oracle's patching challenge

Davidson said Oracle's monthly cycle was never set in stone. "It was widely reported that we went to monthly patches," she said. "What I actually said was that we were moving to monthly and we were. We were thinking monthly because that's what Microsoft was doing. Then questions came up about how quickly you could reasonably do the patching."

In Oracle's case, she said patching is not the same as it is with Microsoft. "It's different to patch the core database that holds your secrets," she said. "There were customers who had never patched because the database was too important to ever touch. It's a huge deal for them to touch their systems. They did not want it to be monthly. It could be a million-dollar process for them. I don't worry about head-to-head comparisons [with Microsoft]. I worry about how to meet the needs of our customers."

In the final analysis, she said a company like Oracle wants to be good at patching because it's easier for customers. "On the other hand, you don't want to get good at it because you never want to become comfortable about patching," she said. "You don't want your software to need patching in the first place."

This article originally appeared on

Dig Deeper on .NET Framework 2.0 and Visual Studio 2005 development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.