Fri 26 May 2006
Colin Barker and Jonathan Bennett, Special to CNET News.com
Oracle’s security chief says the software industry is so riddled with buggy product makers that “you wouldn’t get on a plane built by software developers.”
Chief Security Officer Mary Ann Davidson has hit out at an industry in which “most software people are not trained to think in terms of safety, security and reliability.” Instead, they are wedded to a culture of “patch, patch, patch,” at a cost to businesses of $59 billion, she said.
“What if civil engineers built bridges the way developers write code?” she asked. “What would happen is that you would get the blue bridge of death appearing on your highway in the morning.”
Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries.
The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a “tipping point,” she said.
It is now “chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance,” Davidson said.
Things are so bad in the software business that it has become “a national security issue,” with regulation of the industry currently on the agenda, she said. “I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated,” she said, referring to the security think tank.
“Industries don’t want to be regulated, but if you don’t want to be regulated, the burden is on you to do a better job.”
Davidson also hit out at the “hacking mentality,” and the incidence of exploits that could cause “a million dollars worth of damage…passed around freely at conferences.” She said there was a major difference between people working in the software business and engineers who “are trained to think in terms of safety, security and reliability first.”
She claimed that the British are particularly good at hacking as they have “the perfect temperament to be hackers–technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior.”
Colin Barker and Jonathan Bennett of UK.Builder.com reported from London.