Speaker: Bruce Lowenthal
Over the past five years, Oracle Corporation has been acquiring companies at a rate of about one company per month. After nearly all acquisitions, Oracle has found that product security processes and procedures needed to be upgraded for the acquired products. Oracle has also found that recently acquired products get a higher level of attention from hackers and security researchers immediately after the acquisition due to the Oracle branding. As a result, Oracle now quickly institutes product security policy and procedure upgrades for newly acquired organizations soon after change of control.
This presentation covers the security process and procedure changes that Oracle institutes after new organizations are acquired. These include development, testing and changes in the handling of reported vulnerabilities. In addition, this presentation will address a most important, yet often overlooked issue: the changing of an organization’s attitude regarding secure coding, testing and vulnerability handling.
While the focus of this talk is process and policy changes made as a result of acquisition, the content of this talk should be relevant to all organizations that do software development and are considering upgrading their security assurance policies and procedures. This would include financial, retail and governmental organizations, among others, whose developed software is accessed by large internal groups or by Internet constituents.