SoylentNews is people
SoylentNews
Oracle's Chief Security Officer, Mary Ann Davidson, took to her blog to demand that users stop hunting for bugs in Oracle's software, because, among other things, it violates the user license.
The blog entry got deleted quickly, but is archived here:
Now is a good time to reiterate that I'm not beating people up over this merely because of the license agreement. More like, "I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code." I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.
Please, Oracle users, don't worry your little heads - just stop violating the license agreement.
takyon: #oraclefanfic on Twitter
And an update from Ars:
Oracle Executive Vice President and Chief Corporate Architect Edward Screven made a statement distributed by e-mail to the press on the post:
The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.
Just how Oracle's chief security officer fell out of alignment with Oracle's core beliefs and managed to spread her heretic thoughts on customers was not addressed.
(Score: 4, Insightful) by Anonymous Coward on Thursday August 13 2015, @07:11AM
The reason why security experts have a job at all is because software engineers can't write secure code to save their lives.
If code was secure in the first place, no one would have ever heard of the term cyber security as that would just be the status quo. Stop writing shit code and those "incompetent cyber security experts" will stop making you look bad by finding exploits. This is the very basis of the article we are discussing: a company that makes software being called out by security experts for it being shit and all the developers do is whine and say "stop that!"
(Score: 1, Insightful) by Anonymous Coward on Thursday August 13 2015, @11:03AM
Yes, hire programmers at the lowest pay possible then complain that you can't get programmers who write secure code and that all programmers are like that.
Insecure code and vulnerabilities built-into the system are a consequence of low paid, less talented programmers (excluding the things done by spy agencies).
Want good, secure code that works, then grow a pair of balls to deal with real talent with all their quirks. Nothing is free and sweet and politically correct and tranny-hugging-nice. If you can't deal with the quirkiness of real talent, then you need to stop breathing.
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @06:02PM
No it has nothing to do with paygrade. It has to do with difficulty and training. Making secure code is hard and unintuitive. You must be trained to do it. Programmers, like all engineers, spend nearly their entire thinking time trying to get something to work as intended. To get to know how an active adversary will break your work requires thinking entirely different and adopting a secure software development lifecycle. That is tough even for the people that specialize in it. You have to be trained in that stuff because it is wholly unnatural. Think a bachelor's specialization level of work just to get the basics down. We need more developers (all developers really) to go through that process but few are willing to spend a year or two racking up an extra 40 college credits.
(Score: 2) by Grishnakh on Friday August 14 2015, @01:44AM
Why should they spend a year or two racking up 40 credits? Is the employer willing to pony up the time and money for these people to spend 2 years not working? If not, they have no right to complain. Why would anyone bother doing this when they can just get a CS or CpE degree like everyone else and immediately go to work making nearly 6 figures? Are they going to get 50% more pay for this extra training? Of course not.
As usual, it all comes down to employers being cheap bastards and refusing to invest in their employees.
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @01:23PM
No real coder(*) wants [stilldrinking.org] to write crap code.
*) yeah, the are probably all scotsmen.
(Score: 1, Troll) by Runaway1956 on Thursday August 13 2015, @03:44PM
Yeah, I actually read all the way through that link.
"So no, I'm not required to be able to lift objects weighing up to fifty pounds. I traded that for the opportunity to trim Satan's pubic hair while he dines out of my open skull so a few bits of the internet will continue to work for a few more days."
(Score: 2) by Grishnakh on Friday August 14 2015, @01:47AM
The "security experts" I've seen are just there to fill a seat and look like the organization is doing its "due diligence". They don't know the first thing about coding, why software has vulnerabilities, all they know is some buzzwords they learned at some conference, and they spend their time making powerpoint slides and running around acting like they know what they're doing.