COMMENT: All Secure
Automating SecurityBy Mary Ann Davidson
Papa's got a brand-new bag (of tools).
Oracle is celebrating its 30th anniversary this year. Some of us old-timers have been busy wallowing in nostalgia by cataloging remembrances of how Oracle has changed over these 30 years. There's sometimes a tendency to think that old times were better, but even those with Luddite inclinations can agree with my mother when she says, "Without change, there is no growth." (I used to joke that working at Oracle was like the weather in San Francisco: if you aren't 100 percent thrilled at any given moment, wait half an hour, because it will change.)
There are a great many things that are actually better now than in the "good old days." One of these has been the growth in tools that help people do security-related things more easily. Security automation can help everyone from developers trying to get their products out the door securely (by finding defects in software that could lead to security vulnerabilities) to customers trying to ensure that their security posture remains strong from day to day despite frequent configuration changes. Figure that most systems are larger and more complex than they used to be, and you realize why security automation is the wave of the future even if it was needed yesterday.
Automating Security Now
Oracle has some homegrown tools we use to help find and root out common secure-coding errors. Some of these have been developed by Oracle's ethical hacking team, whose technical acumen is exceeded only by its sense of humor in naming the tools. (SQL*Splat is a tool for finding SQL injections, and Bit*Rotter is a protocol fuzzer.) The ethical hacking team uses these tools to automate its security assessments, and the quality assurance teams use them to keep ahead of the ethical hackers.
We've also licensed tools from third-party vendors. You can't test security into a product, but even a really good developer can benefit from tools that automate finding security-related defects. Some of these tools do static analysis: tracing through source code to find how an input at X (that is not correctly handled, for example) could lead to an actual exploit at point Y later in the code. We also use automated tools to test Web interfaces—in both our development and production environments—for common security vulnerabilities. No one tool does it all. Just as for building a house, you need hammers, saws, and screwdrivers as well as a good design and excellent workers.
It took us a long time to find good tools, train people to use them, and roll them out. We have helped our vendors make their tools more robust ( nobody could scan 50 million lines of code daily when we started looking at tools), which helps not only Oracle but also others in the industry. We all need the equivalent of spell-checkers for code to find where we have misspelled security , so to speak. I am pleased that Oracle is helping push the envelope for security automation higher and broader for everyone.
Security automation is also important in secure configuration. Most people don't have the time or expertise to set, say, 82 configuration parameters by hand (on 37 instances), much less do it every day to ensure that they didn't leave a cyberdoor wide open. Being able to automate those "Am I secure?" checks is like having a night watchman (who never needs to sleep) checking every door and window every quarter hour in perpetuity. Ideally, every software vendor ought to document best security practice, make it easy to install its products that way by default, and provide a tool to automate the security checks.
Securing Good Times
One thing that hasn't changed in 30 years is that people who work in IT are always doing at least four things at once, and being able to automate three of them will not only make us all more secure but will also make better use of a scarce resource (time!). So I look forward to the "good new days" when there are lots of automated security tools in the marketplace that meet the needs of vendors large and small as well as those of Jane or Joe Developer building a custom application for Mom-and-Pop.com.
Another thing hasn't changed in 30 years: we can all use more time.
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practice, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the Defense Science Board and is on the editorial review board of SC Magazine.