On Security, Is Oracle the Next Microsoft? - ' Can Developers be Relied '

"In my opinion, Oracle doesn't have enough people (working on) security. They have so many different products," said Kornbrust.

According to Davidson, Oracle developers carry most of the weight of fixing security holes in their code, with so-called "bug handlers" from Davidson's group dealing directly with developers when questions arose about a particular fault.

Members of Davidson's group, or Davidson herself, occasionally "ride in on a broom" to staff meetings when questions arise about product security, or to enforce the company's policy on secure coding, she said.

Does the Oracle-Siebel deal hurt overall IT agility? Click here to read more.

But relying on developers creates problems when those developers lack security expertise, said Kornbrust, who claims to be a former employee of Oracle in Germany and Switzerland.

"They're just normal developers, and it's difficult to test your own product," he said.

Individual developers also have too much leeway to decide, unilaterally, whether or not a problem is a security risk, Kornbrust and Cerruda said.

In contrast, Microsoft has established a separate Security Technology & Business Unit that acts as a central security consulting organization for the entire company, said Michael Howard, senior security program manager at Microsoft.

The company has a defined reporting hierarchy and point persons in each product group through which security issues are channeled, he said.

Microsoft is also building security expertise within each product group, using events like the recent "Blue Hat" gathering, in which hackers were brought in from outside to show Microsoft developers how they attack their code.

The company also relies heavily on automated scanning tools to spot security holes in computer code and on threat modeling technology that can spot potentially vulnerable features before they are even written, Howard said.

For example, the company shelved a planned Windows Update feature for its upcoming Vista release after threat modeling tools flagged the planned feature as a security risk.

"Five years ago, that feature would have been built, but two weeks from shipping, somebody would have said, 'What's that? We can't do that!' to a feature we spent 10,000 person hours building, documenting and shipping," Howard said.

Speaking with eWEEK, Davidson said that she is not a "policy fanatic," but that her group tries to enforce the company's security policies consistently across product groups and raise awareness of security best practices through "hack of the week" exercises that use real examples of security holes in Oracle products and mandatory online security training for developers.

Automated tools help, but put ultimate responsibility on developers and managers to improve the security of the company's products, Davidson said.

"(Automated tools) won't cure bad attitudes," she said.

Click here to read about Oracle putting database 10g R2 on Windows.

"Oracle isn't nearly as far down the evolutionary path as Microsoft," said Ted Julian, vice president of marketing for Application Security Inc., of New York.

"You're talking about a complete change in how (Microsoft) thinks about security—top to bottom," he said.

Part of the reason may be that Microsoft's products, like Windows and Internet Explorer, have long been a target of inexperienced hackers.

On the other hand, compromising the far fewer number of sophisticated and well-defended Oracle products is less frequent and requires much more skill, Julian said.

Still, Oracle has a long and hard development effort ahead of it to get their product groups integrated with one security architecture, Oltsik said.

"They need to double their commitment (to security) and standardize it across all their products and acquisitions," he said.

Like Microsoft, Oracle has to develop systems and processes for communicating with outside researchers, and figure out a way to push critical fixes out to customers quickly, rather than sitting on them or waiting for a quarterly patch release, said Julian.

"The last thing Oracle needs is a reputation of being insecure or arrogant about security," he said.

Still, the problems facing Oracle may not be so different from those facing other major database vendors, including IBM and Microsoft, itself, Julian said.

"I think the industry as whole is getting its arms around the fact that database security is a big deal. They know they need to do something about this, but they're not sure what, or how and in what order, he said.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.