Why is Commercial Software
So Vulnerable
(and How Can We Fix It)?
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
State of Things Today
• Many vulnerabilities in commercial software
• Typical vendors release dozens of fixes
annually
• No indication this is improving
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Kinds of Vulnerabilities
• Design Flaws
• Implementation Flaws
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Design Flaws
• Occur when software is planned and specified
without proper consideration of security
requirements and principles
• Examples:
– Cleartext passwords
– Weak or proprietary cryptography
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Design Flaws
• Why do Design Flaws happen?
– Rushed engineers
– Ignorance of security requirements or principles
• Fortunately, software designs are improving!
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Design Flaws
• As Design Flaws are found, they are fixed in
future releases
• But . . .
• These can be deeply ingrained, architectural
issues
• Industry is moving in the right direction
• Design Flaws are a minority of the security
bugs we see
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Implementation Flaws
• Occur when software developers make a
mistake when coding software
• (Just like other bugs, but some have serious
security implications!)
• Implementation Flaws are independent of
design
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Implementation Flaws
• Examples:
–
–
–
–
Buffer overflows
Integer over/underflows
SQL Injection
Format string
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
Implementation Flaws
• Why do Implementation Flaws happen?
• Human error
• We cannot eliminate human error, but we can
do more to minimize it
• Most serious security bugs are due to these
careless mistakes
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
How Can We Improve?
• Education
– Not every developer can be a security expert
– Every developer must understand security
fundamentals
• At Oracle, we have had success with a webbased, on-demand secure coding training class
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
How Can We Improve?
• Individual accountability
– Education makes people accountable!
– Hold developers accountable for writing quality
code.
• Automated tools
• Power of the consumer
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005
The End
• Any questions?
Adam L. Jacobs, CISSP
Principal Program Manager, Oracle
14 October 2005