Mary Ann Davidson, Oracle's chief security officer, is in a bit of hot water. She recently published, then quickly pulled, a blog post that harshly scolded customers who hire third-party security consultants to reverse engineer their Oracle software. The message: Such activities are explicitly verboten by Oracle's world-famous software licensing terms.
It's easy to see why the missive has set off so much eye-rolling and outrage in the IT blogosphere. After all, Davidson seems to have a fundamental misunderstanding of the value that hackers provide by identifying and reporting security holes in code. She argues that because most people looking for flaws in software are after money or fame (or both), it's not a good idea to reward them. And she also claims that telling her team about such vulnerabilities is a waste of time because she can't respond to them all, given the volume and poor quality.
That's a strange argument to make coming from the CSO of the world's second-largest software company, especially when she has two peers who direct other aspects of the company's security program. For example, one of her colleagues oversees physical security and the other leads the corporate enterprise policy group. Davidson holds a BS in mechanical engineering from the University of Virginia and an MBA from the Wharton School at the University of Pennsylvania. She has testified on cybersecurity before the US House of Representatives (Energy and Commerce Committee, Armed Services Committee and Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology). Her military service includes four years as a commissioned officer in the Navy Civil Engineer Corps.