Manual system set-up complicates security

Mary Ann Davidson, chief security officer at Oracle, said she is all too familiar with the problem of users increasingly finding...

Mary Ann Davidson, chief security officer at Oracle, said she is all too familiar with the problem of users increasingly finding flaws in business applications that could cause serious damage if exploited by a hacker.

Discussing Oracle's security strategy at OracleWorld, she said Oracle now runs standard software development processes for creating not just the database but also the applications suite. "We have release criteria for all our products and support tools to ascertain security worthiness," she said.

To mitigate worms, viruses and hacking, suppliers need to focus on how applications install. "We certainly make products secure by default, yet there is still too much manual configuration to secure systems," she said.

The damage caused by viruses and worms could be minimised if software was automatically set to the highest level of security when it was installed. This is an area Davidson feels the industry needs to work on.

As chief security officer, Davidson has seen her fair share of worms and viruses, but this is not what worries her most. "My biggest fear is that there will be something we fail to do that will create a problem for our customers," she said.

Davidson said it is important that Oracle users receive security alerts at the earliest opportunity, as almost every type of business is considered critical.

She said, "We have so many customers and so many sectors that can be considered part of an infrastructure, who would not be on the insider list?" But while Davidson believed most software flaws should be treated this way, she did feel Cisco handled the recent flaw in its IOS operating system smartly. "Cisco made a good case in alerting its internet infrastructure customers first."

Davidson said in the Cisco example, people running the internet backbone would have been most exposed by the flaw in its IOS. If the internet infrastructure was damaged, everyone else would be affected.

Suppliers need to fix problems as quickly as possible with good-quality patches. "It does not do you a lot of good releasing a patch that breaks customer systems," she said. "They will not trust you the next time round."

Read more on Hackers and cybercrime prevention