You may have seen the news that Oracle shared a blog post (cache version here – Oracle took it down) in which the CISO essentially told the world to not help them make their software better, that the world should trust them to do it.Chris explains how they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.
Chris Wysopal, CTO and CISO at Veracode :
“We now rely on software for everything – health, safety and wellbeing – and crafting a policy of ‘see something, say nothing’ puts us all at risk.
Application security is an enormous software supply chain issue for both enterprises and software vendors because we all rely on software provided by others. Vendors need to be responsive to their customers’ valid requests for assurance, and to security researchers who are trying to make the software we all consume better. Leaders in the industry – Google, Apple, Microsoft, Adobe – all encourage third-party code audits and bug bounty programs as a valuable extension of their own security processes.
Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.”