| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Interesting MetaLink notice
On 05/02/06, Mladen Gogala <gogala_at_sbcglobal.net> wrote:
> On 02/05/2006 01:17:26 PM, Jared Still wrote:
> > Even those problems that are addressed by security problems are
> > not always corrected, requiring only a small change in the exploit
> > to get around the security 'fix'.
>
> Software companies, not just Oracle, simply love the concept of "security through
> obscurity", which is not one of my favorites.
I remember some years ago (1997 or 98 IIRC) locking horns with one of my managers over security. It was over a web application (not Oracle based, just flat files and PERL scripts) that was going to be put on the Internet so our customers could vote on which enhancement requests they wanted us to prioritise. He argued that we didn't need to worry about security because we'd only give the URL to our customers so no-one who should see the data would even be able to find it. He even used the phrase "Secutiy through Obscurity"
After some arguing I came up with an analogy: "Good security is like an onion, it's got lots of layers. Obscurity can be one layer, it can't be the whole onion."
I'd love to say that this brought him around to my side, but it didn't. He went on long term sick, due to an unrelated accident, and the manager who took over for him was much more security conscious.
Stephen
-- It's better to ask a silly question than to make a silly assumption. http://stephensorablog.blogspot.com/ -- http://www.freelists.org/webpage/oracle-lReceived on Sun Feb 05 2006 - 13:50:28 CST
 |
 |