Monday, May 29, 2006

I'm failing to live up to Oracle's expectations for me

According to Oracle, it appears that, at a Brit, I should be "technically skilled, slightly disrespectful of authority, and [show] just a touch of criminal behaviour". It seems I need to make more of an effort on the whole "breaking and entering" side of things.... can't let my compatriots down.

Oracle's CSO Mary Ann Davidson does make some good points: there's too much patching going on in the IT industry. I'll resist the easy temptation of pointing to Oracle's record on fixing security problems...... it wouldn't be sporting (another British trait...)

However, what are we to do? Regulation of the IT industry would be the best recipe known to man for plunging the world into a death spiral of low innovation, low productivity, low growth, high poverty, high misery (and that's just Oracle Apps customers.... ho ho ho).

Eric Sink wrote an article about buggy code in the Guardian recently.

He takes the view that all vendors knowingly ship code with defects... but what separates the good vendors from the bad vendors is that they have tested extensively and they know what the quality of their code is. That is: you can ship code with no known defects by simply not testing it. His view is that it is far better to understand the overall quality and then make a reasoned judgement. (I count Oracle amongst the "good vendors" by the way...)

What makes security problems so difficult is that they are not at all amenable to the severity/frequency/cost/risk methodology...... it's finding them in the first place that is so treacherously difficult.

So, I think there's definitely a case for vendors getting far, far better at designing for security, coding for security and testing for security..... Microsoft have actually done a lot to educate the wider community on how to do this (credit where it's due...). However, I don't see how we can get away from the recurrence of "emergency patches". By their nature, they're patches that have been released to correct a problem that was not previously known about (or which was incorrectly assumed to have a lower risk).

No comments: