Security Goes Mainstream

Security is too important to be left to experts.

It occurs to me as I reflect upon my 14-odd years in security at Oracle how mainstream security has become during that time. For example, most well-known security conferences are now dominated by businesspeople instead of security kahunas. I started attending these conferences when they were small, furtive gatherings of what could only be described as the high priests of security: people who'd invented cryptographic algorithms (and others who had broken them), people you'd read about in the New York Times (the few times security made it on the front page—or any page), and people who literally wrote the book on some arcane aspect of security.

In those days, security was a religion with a cult following. Few understood its precepts or could intone them. Security rituals—like hacking—were restricted to a few initiates to the high priesthood. All this sounds great until you realize that if you want your religion to grow, you need more true believers. Lots more.

Now, security has gone mainstream both by happenstance and by design. As IT has become widespread (for example, almost everyone has e-mail and almost everyone now does things online that they used to do in person or on paper), computer security mechanisms have necessarily evolved to take the place of locked file cabinets in locked offices.

As for those who build the IT systems that have made the paperless (OK, "much less paper") world possible, security ought to—indeed, must—become mainstream instead of an afterthought. At Oracle, security has evolved from being largely centralized (through a small group of security mavens) to being decentralized: all development groups have security points of contact; all developers are trained on security. My goal for security is not to build another high priesthood but to "spread the security gospel" so all developers become true believers. In a way, security is just too important to be left to experts.

A recent example of how security has gone mainstream at Oracle is the work that my team and others did before Oracle Database 10g Express Edition (Oracle Database XE) shipped. Oracle Database XE is a lightweight, stripped-down version of Oracle Database that is intended to be used as an embedded database—it just ships inside another product and you don't really even know it is there. Many products have embedded databases that you wouldn't expect, such as physical security systems (for example, card readers) used for building access.

While we didn't make a big deal about it in terms of patting ourselves on the back (nor do I think vendors should take big bows for exercising due security care on behalf of their customers), we put a lot of security work into Oracle Database XE. We ensured that critical security issues were fixed, Oracle's ethical hacking team took a crack at it, and we did a lot of work to lock the product down so that it installs in a "default secure" configuration.

Some may wonder why we put the extra effort into hardening Oracle Database XE. After all, it is not necessarily going to be a big moneymaker; it's not the Oracle enterprise database protecting the corporate crown jewels. Why, in short, go to the extra security effort?

The answer is, we hardened Oracle Database XE for all the "security is mainstream" ideas I outlined earlier. Because Oracle Database XE is an embedded database, it's not likely that a professional, security-trained DBA will administer it. It's very likely to be used in a Web-facing application, which is another reason you want it hardened out of the box.

Also, we took a lesson from history. One of the reasons the SQL Slammer worm spread so quickly several years ago was because of all the embedded SQL Server databases that many enterprises did not know they had and, thus, did not know to patch. Remember those card systems I talked about? A number of them failed when SQL Slammer wormed its way through their embedded databases.

If, someday, there are thousands of Oracle Database XE databases embedded in applications, we want them to be as secure as we can make them precisely because this is a "mainstreamed" database application and not administered by the high priests of the temple of security. I'm pleased that we hardened Oracle Database XE and even more pleased that multiple people lined up behind the effort. It was not a hard sell, and that, too, is a mainstream idea. Security isn't just for enterprise databases but for all IT products.

This leads me to the very last reason but really the first reason why we did what we did for Oracle Database XE: Oracle's name is on it, and security is part of everything we do.