When it comes right down to it, you can only have one master – one that you serve and aim to please above all others. If you went around asking CEOs who their company’s master is, you’re likely to get the same response each and every time: our customer is our master.
The thing is, that’s not always true, particularly when it comes to publicly traded companies. When you sell shares of your company to the public, you take on a whole new world of accountability to your shareholders.
Creating shareholder value (increasing the stock price) becomes the number one mission – with the impact on stock price often becoming the primary reason for why certain things do and don’t get done.
But this is all obvious, right? Every public company is out there to increase the value of its shares. And what does any of this have to do with software security?
I came across this Forbes article recently. It talks about the impact, or lack thereof, of software security flaws on Oracle’s stock price. It got me to thinking. Oracle has announced a lot of vulnerabilities over the last couple of years.
I’m not sure if they’ve put out fixes for more issues than any other software company on the planet, but when it comes to volume of database vulnerabilities, I can assure you that Oracle leads the pack by a solid margin.
Yet, despite these serious flaws, Oracle continues to increase revenue and their stock price continues to climb. Perhaps the lack of any negative impact to the Oracle share price, despite the abundant flaws, is a contributing factor why they have so many flaws to begin with – and why they don’t seem inclined to fix them in a timely manner.
I grabbed a chart of Oracle’s stock price for the period of January 1, 2009 until today from Google Finance. Then I added some icons to the chart for each CPU (critical patch update) that Oracle released, each of which discloses bundles of security issues (the most recent CPU in October 2011 fixed 76 different vulnerabilities across Oracle’s growing range of products).
Next, I added a couple more call-outs. One pointing to the time when David Litchfield disclosed a major 0-day vulnerability in Oracle databases that allows anyone who can access the database to take complete control over the Oracle software and the server it runs on.
The other call-out I added points to the time when Oracle’s MySQL.com website was notoriously hacked using a simple SQL Injection exploit.
(Click to image enlarge)
In the chart, the only correlation you’ll see between stock price and security issues is a trend for the stock to go up! If widely reported vulnerability disclosures and successful attacks aren’t hurting the stock price, why spend the time and effort to avoid releasing insecure software in the first place?
Maybe this trend is why many of the vulnerabilities that we see Oracle fixing lately are in a combination of new software, such as the latest version of the database and other applications, and in Oracle’s bolt-on security tools such as Enterprise Manager, Database Vault and Secure Backup.
When you measure the impact on share price, it’s just not worth it to build secure software. Buyers are gobbling up the vulnerable stuff as quickly as they can get their hands on it, and the people who really pay the price are those of us whose data is stolen and whose lives are turned upside down in the aftermath.
And this isn’t just an Oracle problem. The other major software vendors including IBM, Microsoft, SAP, and Apple also regularly disclose and patch major vulnerabilities. Yet their stock prices (and customer base) continue to grow regardless of their reputation for security.
If we want secure software, we need to make our voices clear. Buy from those who put their customers first, and who believe that by producing excellent software the market will come to them. If you’re already stuck with a vendor who consistently produces new security vulnerabilities, complain about it loudly.
Hold up your next order. Look for competitive solutions for any expansion projects or to replace a planned major upgrade. Make it clear to your vendors that you care about software security. If you don’t, nobody is going to do it for you, and we will all continue to suffer the consequences.