Oracle’s security chief seems pretty peeved over the prospect of someone other than the company’s own computer scientists finding a vulnerability. Mary Ann Davidson says as much in a now famous blog post where she accused customers of infringing Oracle’s licenses if they try to protect themselves from security breaches by double-checking Oracle’s code.
Much to the glee and delight of computer security watchers and Oracle wags everywhere, language in her blog post, which was taken down shortly after it appeared, has been circulating widely across the Internet. (At posting, you could still find an archived version here.)
Arstechnica does a terrific write-up on the notorious blog and summarizes others that reveal Davidson’s snarky attitude toward security researchers in general. Somehow, it’s not surprising.
As champions of Postgres, EDB is the beneficiary of massive amounts of code-sleuthing. Our EDB Postgres Plus offerings are integrated into open source Community PostgreSQL and we are a major supporter of the Postgres community. We support the kind of transparency inherent to open source community projects.
Anyone at anytime can review the code, raise their hand and flag an issue and Postgres is a better database because of this transparency. Instead of trying to protect intellectual property, influence market reactions or control potential damage in reputation, open source contributors are simply focused on making the software better. Their interests are aligned with the end users because many of the people examining the code are end users. What’s more the huge number of Postgres developers around the world gives Postgres an even greater advantage over commercial software developers who rely solely on internal resources.
And while anyone can probe the code, the Postgres Community manages security issues in a disciplined manner, when they do arise. Postgres, in fact, has a reputation for being the most secure open source database. The Community publicly reports and repairs security issues primarily through the Common Vulnerabilities and Exposures organization. Anyone can access the 'Security' link on the PostgreSQL.org home page to report or view security issues. Try searching http://cve.mitre.org/ for ‘PostgreSQL.’ The community also works cooperatively with 'packagers' of PostgreSQL, like EDB and other companies with ties to Postgres, to expedite patches to their respective user bases.
Gartner has recognized the quality of open source and begun to urge enterprise IT users to consider open source databases as their first option for mission critical applications. According to the April 2015 Gartner report, The State of Open-Source RDBMs, 2015,* “by 2018, more than 70% of new in-house applications will be developed on an OSDBMS, and 50% of existing commercial RDBMS instances will have been converted or will be in process.” And in its most recent Magic Quadrant for Operational Databases, Gartner for the first time ever added two open source relational databases to the Leader quadrant, EDB Postgres and MariaDB.
The bottom line is that open source projects with very large communities like Postgres are actually more capable of rapidly identifying and fixing potential security issues. They are unencumbered by corporate agendas and bureaucracies, benefit from massive scale and thrive on transparency by their very nature. If Oracle is asking their customers to blindly trust them while forbidding them to touch source code, Postgres and other open source databases are doing the exact opposite. This explains why so many companies are shifting away from commercial software to open source. Open source software can better meet the needs of today’s fast paced and demanding marketplaces, and bear up under scrutiny.
Marc Linster is Senior Vice President of Products and Services at EnterpriseDB.
*The State of Open Source RDBMSs, 2015, by Donald Feinberg and Merv Adrian, published April 21, 2015.
*The Gartner report, Magic Quadrant for Operational Database Management Systems, by Donald Feinberg, Merv Adrian and Nick Heudecker, was published October 16, 2014.