Abstract: In 1994, Oracle suffered its first known product vulnerability and reacted by sending a patch to every customer on tape or those new shiny CDs. But Oracle’s dedication to security famously goes back to its first customer, the CIA. Some years and several product acquisitions later, Oracle’s approach to security assurance is still rooted in that history of putting protection of its customers first. As well as reviewing Oracle’s product vulnerability handling practices, this presentation will explain the core elements and challenges of Oracle’s Software Security Assurance program including:

• Secure development processes and practices, and the foundation on which they’re built, Oracle’s Secure Coding Standards that include lessons learned from past experiences

• Comprehensive security analysis and testing

• Secure configurations with guides and utilities to identify deviation from known secure states
• Independent product security testing evaluations and validations

• Building a decentralised, delegated, internal security community

• Applying security bar-raising changes

• Introducing cultural and process change to new product acquisitions

Speaker Bio: Duncan Harris is senior director of security assurance at Oracle, responsible for all product security vulnerability handling, for Oracle’s internal ethical hacking team, for formal product security evaluations such as Common Criteria and FIPS 140, and for defining, educating, evangelising and ensuring compliance to internal secure development standards. He provides broad security advice to Oracle information security, legal, HR, marketing, PR, internal audit and physical security teams, and takes an active role in defining new direction for security in Oracle’s core database and application server products, based on the weaknesses and vulnerabilities his team and real world hackers identify and expose. Duncan notably constructed the technical proof behind Oracle’s “Unbreakable” marketing campaign.

Over his 18 years at Oracle, he has also been the product manager for Trusted Oracle7, Oracle’s B1 multilevel secure database, now replaced by Oracle Label Security, and he has been involved with all Oracle’s product security evaluations and validations. Prior to Oracle, he worked as a UK government security evaluator and on various UK classified systems.