Oracle's CSO demands an end to customers checking Oracle products for defects


Originally published at:


And we the end users are expected to do what? Obey? Does she really think that anybody will listen to her petty demands, at least without laughing afterwards?

Isn’t reverse-engineering code for bugs an equivalent of ultrasound-checking a structural composite for flaws?

How did somebody with such attitudes about security make it to a CSO position?


Having worked in InfoSec for the better part of (now I feel really old) almost 20 years it’s sad to say that this sort of thinking is alarmingly common at the C level when it comes to security. That is to say, ignorant, misinformed or just plain uninformed. Specifically with security - even when it comes to national security - “corp-speak-jazz-hands” is a more important skill than anything to do with security, valued higher by those who employ said “experts” and sadly, those who solicit advice from them. Anytime someone uses the word “cyber”, that should be a red flag as is anyone who self-professes to be a “security expert” as the only people I’ve ever heard describe themselves as “cyber security experts” were anything but.
Gotta run, need to check my cyber mail!


This may be the most entertainingly written nastygram I have ever read. I wish I had her talent for delivering bullshit with a smile.

But there is one nugget of truth herein:

“…you would think that before gearing up to run that extra mile, customers would already have ensured they’ve … the usual security hygiene…before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me!”

I could not possibly agree more with the above.


I’m not entirely sure what the opening plug for the series of books she writes with her sister has to do with the rest of it, unless it’s to suggest she already has a foot out the door? :confused:


Well what do you expect when oracle spent years creating a reputation for shipping buggy software?


Right. Java is safe and secure. No need to test that assertion… trust us.

that’s the part I can’t get past. It just surreal.


I’m sure that, since Oracle wants to forbid the customer from performing any vulnerability checking themselves, Oracle will gladly pay in full for any customer’s damages resulting from the exploitation of a vulnerability in their code.

Right? :smile:



The writing was as entertaining a missive as I’ve seen for one of these, and she had some excellent points about customers spending money removing the logs from their own eyes before spending money on working on Oracle’s motes (regardless of the relative sizes of logs vs. motes), but between how tone-deaf the attitude toward her customers was and Oracle’s history of long-term failures to fix their own dogfood… (Back in the 90s two of my poker buddies worked for Oracle. They had a litany of how bad their email system, based on Oracle software, was. The net result was a bunch of shadow-IT style departmental mail servers for anyone who wanted to get things done.)

I also wonder about Ms. Davidson’s attitude towards economics.


I am…less than entirely shocked…to hear that Oracle is arrogant, dismissive, and high-handed in its treatment of customers. Unfortunately, they don’t seem to grasp that playing ‘asshole who you have to put up with because they are just that good’ requires being just that good.

One Rich Asshole Called Larry Ellison…


My gut feeling is it was supposed to make her seem more human. “She spends her free time writing books so she understands the passion of people that spend their time look for vulnerabilities.” But it feels like it was bolted on after the rest of the post was written. Maybe someone pointed out that she came across as as an uncaring robot of the monolithic Oracle. So she tacked that first bit on to relate to the humans and soften the blow?


aaiiee carumba!

Buy and obey! Why does the corporate class even allow us “lowers” to enjoy the mirage that is a pay-check? Why haven’t they just instituted 100% wage garnering against all current and future income - and be done with the charade?


Wasn’t this from the company that ships the Java Run Time engine bundled with the impossible-to-remove crapware that hijacks your browsers? Oh, yes it was.


Has there been an version of O-Java that’s not been a security sieve?

It’s a honeypot without the honey or the pot.


This topic was automatically closed after 5 days. New replies are no longer allowed.