Mary Ann Davidson

Mary Ann Davidson is the Chief Security Officer of Oracle Corporation, the second largest software company in the world. Her outspoken views regarding software security and role as security spokesperson for a leading database product have made hers an important voice among computer security practitioners.^[1] She has testified on Oracle's behalf before the U.S. Congress, and is routinely cited in industry and business publications.

Early life

Mary Ann Davidson was raised in a Naval tradition. Her father, a veteran of World War II and Korea, was the academic dean at the US Naval Academy. Davidson attended the Severn School, a preparatory high school for the Naval Academy, graduating in 1976. ^[2] After obtaining a Bachelors in Mechanical Engineering from the University of Virginia, she was directly commissioned into the US Navy Civil Engineering Corps, eventually joining her sister Diane in a Reserve Naval Mobile Construction Battalion, an unusual assignment for a woman at the time. ^[3] During her service she was awarded the Navy Achievement Medal.^[4]

Davidson later obtained an MBA from the Wharton School at the University of Pennsylvania.

Career at Oracle

Davidson joined Oracle in 1988, as a product manager in Oracle's financial software business unit.^[1]

Security at Oracle

Davidson's public involvement in computer security dates to 1993, when she took a position as product marketing manager in Oracle's secure systems business unit.^[1] During the same time period, she contributed to Usenet and the RISKS Digest. ^[5] By 2001, 13 years into her career at Oracle, she had been promoted to director. Her function in these roles primarily involved advocacy for information security inside of Oracle and to customers.

Testimony before Congress

In November 2001, Davidson was invited to appear before the US House Subcommittee on Commerce, Trade, and Consumer Protection, alongside executives from SAIC, Internet Security Systems, EDS, and Microsoft. ^[6]

In her testimony, she argued that following September 11, information systems posed as an attractive target for terrorist attacks. She asserted that commercial enterprises were still "catching up" to the U.S. Government in security awareness, and that enterprises needed reliably third-party standards for security in order to make better purchasing decisions.

She entreated technology vendors to "think like hackers", and, in questioning, admitted that she didn't "think you can ever be 100 percent sure and there is no bulletproof security". Perhaps in contrast to statements she would make later in her career at Oracle, she lauded security researchers, claiming "98 percent of the people that we deal with are inquisitive, talented and [...] really want to test something".^[6]

Chief Security Officer

In December 2001, in the wake of Oracle CEO Larry Ellison's infamous claim that the Oracle database was "Unbreakable", Davidson was named Chief Security Officer of Oracle Corporation, serving as Oracle's official security spokesperson and managing product security assessments and incident response. ^[4]

Davidson immediately set about mitigating the brashness of Ellison's claim. ^[1] She wrote in a white paper that "Unbreakable" stood for a process and not a guarantee. ^[7] Later, she told the trade press that her first reaction to Oracle's marketing claim was, "What idiot dreamed this up?". ^{[8] [9]}

Regardless, Oracle's timing had been inopportune. In the midst of a renaissance in vulnerability research (coinciding with the refinement of heap and integer overflows) and drastically increased attention to the security of enterprise technology, Oracle was targeted by security researchers. The subsequent discovery of numerous Oracle vulnerabilities led to the company being harshly criticized by security practitioners and pundits.^[10]

Davidson has since become an advocate for software security. This principle, pioneered by Microsoft with the Security Development Lifecycle (SDL), argues that information security problems are best solved by improving the quality of vendor code, rather than by application of after-market security countermeasures. In particular, Davidson is a proponent of source code security scanners in general, and Fortify Software in particular; her public statements on Fortify's behalf constituted a notable early success for the source code scanning market. ^[11]

Though not unusual for CSO's in the Fortune 500 at large, Davidson's lack of formal training in technology stands out among CSO's for major technology companies; her peers include former software developer John Stewart, CSO of Cisco Systems, computer forensics expert Howard Schmidt, former CSO of Microsoft, and famed cryptographer Whitfield Diffie, CSO of Sun Microsystems.

Controversy

Though her early career at Oracle seems marked by tolerance and appreciation for independent vulnerability research, her attitudes towards security research, and particularly full disclosure, seem to have hardened after her promotion to CSO. ^{[12] [13]} At conferences, she has sharply criticized latter-day security research practices, for instance referring to vulnerability markets as "morally reprehensible". ^[14]

During her tenure, Oracle's has weathered a turbulent engagement with the security research community. Davidson was publicly ridiculed by David Litchfield, a notable vulnerability researcher whose company, Next Generation Security, had business relationships both with Oracle and Microsoft's SQL Server product team. In a widely cited Bugtraq posting, picked up by the mainstream trade press, Litchfield called on Oracle to replace Davidson, pointing to a series of delayed or ineffective security patches in Oracle's database server as evidence of "categorical failure". ^{[10] [15] [16]}

Davidson and Oracle have since attempted to mend fences with the research community, an effort that may paid off; Litchfield has since written more positively about Oracle, even going so far as to congratulate Davidson for "turning around" Oracle's "lumbering stegosaurus". ^[8]

Personal life

Davidson is an avid surfer and skiier. She divides her time between Ketchum, Idaho and San Francisco, California. She is a student of languages, including Hebrew, Classical Greek, and Hawaiian, and of military history (reporting on her blog that she consumes one book of military history every week). ^{[17] [18]}

References

1. ^ ^{a b c d} Salkever, Alex (January 15, 2002), "Backing Up Oracle's "Unbreakable" Vow", Business Week, http://www.businessweek.com/bwdaily/dnflash/jan2002/nf20020115_8894.htm 
2. ^ "Mary Ann Davidson" (PDF), The Bridge (Severn Alumni Newsletter), Spring 2003, http://www.severnschool.com/ftpimages/45/misc/misc_5844.pdf 
3. ^ Davidson, Mary Ann (July 7, 2007), (Blog Post) Let Us Now Praise (Not So) Famous Men and Women, http://blogs.oracle.com/maryanndavidson/2006/07/07 
4. ^ ^{a b} Oracle Executive Bio, http://www.oracle.com/corporate/pressroom/html/pressportal/mdavidson.html 
5. ^ PKZIP 3.00 Virus URL?, April 10, 1996, http://groups.google.com/group/alt.folklore.urban/msg/836a62214954f565 
6. ^ ^{a b} (– ^{Scholar search}) Cyber Security: Private-Sector Efforts Addressing Cyber Threats., November, 2001, http://energycommerce.house.gov/reparchives/107/hearings/11152001Hearing420/print.htm ^{[dead link]}
7. ^ Davidson, Mary Ann (February 2002) (PDF), Unbreakable: Oracle's Commitment To Security, http://www.oracle.com/technology/deploy/security/pdf/unbreak3.pdf 
8. ^ ^{a b} Robert, McMillan (2006-05-29), "Oracle Mending Fences With Security Researchers", Computer World, http://www.computerworld.com.au/index.php/id;61710154;fp;2;fpid;1 
9. ^ Kirk, Jeremy (2006-05-25), "Oracle's security chief lambastes faulty coding", Network World, http://www.networkworld.com/news/2006/052506-w3c-oracles-davidson-coding.html 
10. ^ ^{a b} Vaas, Lisa (May 5, 2006), "Oracle vs. Security Researchers: Try Jell-O Wrestling", eWeek, http://www.eweek.com/article2/0,1759,1958335,00.asp 
11. ^ Davidson, Mary Ann (2006-08-17), (Blog Post) I Can't Believe I Ate That, http://blogs.oracle.com/maryanndavidson/2006/08/17 
12. ^ Greene, Thomas (March 5, 2005), "Oracle objects to Reg security coverage", The Register, http://www.theregister.co.uk/2002/03/05/oracle_objects_to_reg_security/ 
13. ^ Davidson, Mary Ann (July 27, 2005), "(Op-Ed) When Security Researchers Become The Problem", CNet NEWS.COM, http://www.news.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html 
14. ^ nCircle Security Blog (May 9, 2005), Morally Reprehensible, http://blog.ncircle.com/archives/2005/05/morally_reprehensible.html 
15. ^ Litchfield, David (January 6, 2005), "Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers", Bugtraq, http://seclists.org/bugtraq/2005/Oct/0056.html 
16. ^ Evers, Joris (March 7, 2007), "Gadfly zeroes in on Oracle bugs", CNet NEWS.COM, http://www.news.com/2008-1002_3-6164785.html 
17. ^ Davidson, Mary Ann (June 27, 2006), (Blog Post) Can We Talk?, http://blogs.oracle.com/maryanndavidson/2006/06/27 
18. ^ Davidson, Mary Ann (March 13, 2006), (Blog Post) IT Lessons From Military History, http://blogs.oracle.com/maryanndavidson/2006/03/13 

External links

• [1] (Davidson's official Oracle blog)