As Published In
Oracle Magazine
July/August 2008

COMMENT: All Secure

Securing the Supply Chain

By Mary Ann Davidson

The educational supply chain must change.

I recently participated in a U.S. Defense Science Board study (see Next Steps) that examined foreign influence over the software supply chain. The study noted that, even as vendors need worldwide access to technological talent that enables them to create commercial software benefiting the U.S. Department of Defense, there is an increased risk that the software supply chain may be compromised by hostile nation-states.

Supply chain security issues are on many people's minds these days. IT operations are effectively regulated more than ever before, via, for example, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and various breach disclosure laws such as California SB 1386. IT customers are being pressured to show that they are "more secure" and are, in turn, pressuring their supply chain—software vendors—to prove that the enterprise software they provide is secure. Vendors are being asked everything from "What features and functions do you have to help meet regulatory requirements?" to "How do you embed security within your software development lifecycle?"

In the vendor community, there is a low rumble of discontent about our collective supply chain's current lack of a "secure development lifecycle." I'm not talking about other software suppliers, such as vendors that supply toolkits or components. What I mean by supply chain is the universities that supply computer science graduates. There is no secure development lifecycle in the vast majority of universities' degree programs. And that is a problem, perhaps the security problem plaguing the software industry. All the other security remediations in the software supply chain, such as multiple security point solutions, vulnerability analysis services, and patch management, are largely in response to the fact that most software was neither designed nor built to be secure. Developers don't typically think their code is a target, but it is a target and will only be more of one in the future.

Computer science graduates matriculate from long, labor-intensive degree programs without, in most cases, knowing even the first principles of secure coding and secure engineering practice. They are not stupid, but ignorant: they aren't being taught secure development practice because in many cases, their professors do not know the material or do not know it well enough to teach it.

Next Steps

LEARN more about
U.S. Defense Science Board study
secure coding letter to universities
defending against SQL injection

 READ more Davidson

In the almost 20 years I have spent here, I have seen Oracle evolve from being a strong database company to one of the largest enterprise software companies in the world. We have always been security leaders, and not merely in security features and functions. We lead by broadly training our developers in secure coding practice. We lead by wide deployment of automated vulnerability detection tools (both third-party and homegrown). We've developed security-enforcing interfaces, such as input validation, without expecting every developer (or customer) to be a security expert.

We've recently completed a tutorial on preventing SQL injection (one of the most common application-based attacks), and it is posted externally for anybody to take (see Next Steps).

Solving the supply chain security problem is another area in which I want Oracle to lead. We all need universities—our supply chain—to change the way they teach computer science. To that end, Oracle sent a letter to several universities from which we recruit, telling them that we expend significant resources retraining their graduates in secure coding practices. We described the impact on us and our customers of avoidable, preventable security defects. We stated that in the future, we will give preference in hiring to those universities that emphasize secure coding practices. Our next step was to publish this as an open letter to all universities and to encourage other vendors to do the same: to push their universities to change their curricula so that secure development practice is embedded within the fabric of every class, not just in a single class that students file and forget. The educational supply chain must change.

All customers rely on IT as infrastructure and are being driven by regulation to insist on a secure software supply chain. Producing secure software requires a secure supply chain—university graduates whose degree programs have a secure development lifecycle embedded within every program element. We simply must evolve to defensive mind-sets delivering defensible code, lest none of us survive in a hostile world. 

Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practices, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC) and the U.S. Defense Science Board and is on the editorial review board of SC Magazine.

Send us your comments