Oracle Wants You to Stop Reverse-Engineering its Software

Or, ‘Stop finding vulnerabilities in our software, because it makes us feel bad.’

Oracle’s Chief Security Officer Mary Ann Davidson launched an astonishing – and now-deleted – attack on customers who deign to reverse-engineer the company’s software to find security holes, warning them that it’s a breach of the licensing agreement.

Davidson ranted:

“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. < Insert big sigh here. > This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

You should let the professionals – y’know, the one’s responsible for the security holes in the first place – deal with it, you naughty children! She continued:

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems.

That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down — in short, the usual security hygiene — before they attempt to find zero day vulnerabilities in the products they are using.”

Oracle’s software boasts Common Criteria certifications or FIPS-140 certifications, so it’s safe, Davidson claims. And, if that’s not enough to stop you tinkering, Oracle will censure “sinners” who breach its software’s terms and conditions:

“If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already.”

The meandering rant was later deleted, with Edward Screven, Executive Vice President and Chief Corporate Architect (which must be the best made-up title ever) saying:

“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”

For those who would like to read Davidson diatribe in its full glory, one helpful “sinner” has posted it to Scribd.

Thank you ZDNet for providing us with this information.