Mary Ann Davidson
Encyclopedia
Mary Ann Davidson is the Chief Security Officer
of Oracle Corporation
, the second largest software company in the world. Her outspoken views regarding software security
and role as security spokesperson for a leading database product
have made hers an important voice among computer security
practitioners. She has testified
on Oracle's behalf before the U.S. Congress
, and is routinely cited in industry and business publications
.
and Korea
, was the academic dean at the US Naval Academy. Davidson attended the Severn School
, a preparatory high school for the Naval Academy, graduating in 1976.
After obtaining a Bachelors in Mechanical Engineering from the University of Virginia
, she was directly commissioned into the US Navy Civil Engineering Corps, eventually joining her sister Diane in a Reserve Naval Mobile Construction Battalion, an unusual assignment for a woman at the time.
During her service she was awarded the Navy Achievement Medal.
Davidson later obtained an MBA from the Wharton School at the University of Pennsylvania.
in Oracle's financial software business unit.
.
By 2001, 13 years into her career at Oracle, she had been promoted to director. Her function in these roles primarily involved advocacy for information security inside of Oracle and to customers.
, Internet Security Systems
,
EDS
, and Microsoft
.
In her testimony, she argued that following September 11, information systems posed as an attractive target for terrorist attacks. She asserted that commercial enterprises were still "catching up" to the U.S. Government in security awareness, and that enterprises needed reliably third-party standards for security in order to make better purchasing decisions.
She entreated technology vendors to "think like hackers", and, in questioning, admitted that she didn't "think you can ever be 100 percent sure and there is no bulletproof security". Perhaps in contrast to statements she would make later in her career at Oracle, she lauded security researchers, claiming "98 percent of the people that we deal with are inquisitive, talented and [...] really want to test something".
's infamous claim that the Oracle database was "Unbreakable", Davidson was named Chief Security Officer of Oracle Corporation, serving as Oracle's official security spokesperson and managing product security assessments and incident response.
Davidson immediately set about mitigating the brashness of Ellison's claim.
She wrote in a white paper that "Unbreakable" stood for a process and not a guarantee.
Later, she told the trade press that her first reaction to Oracle's marketing claim was, "What idiot dreamed this up?".
Regardless, Oracle's timing had been inopportune. In the midst of a renaissance in vulnerability research (coinciding with the refinement of heap
and integer overflow
s) and drastically increased attention to the security of enterprise technology, Oracle was targeted by security researchers. The subsequent discovery of numerous Oracle vulnerabilities led to the company being harshly criticized by security practitioners and pundits.
Davidson has since become an advocate for software security
. This principle, pioneered by Microsoft with the Security Development Lifecycle (SDL), argues that information security problems are best solved by improving the quality of vendor code, rather than by application of after-market security countermeasures. In particular, Davidson is a proponent of source code security scanners in general, and Fortify Software
in particular; her public statements on Fortify's behalf constituted a notable early success for the source code scanning market.
Though not unusual for CSO's in the Fortune 500
at large, Davidson's lack of formal training in technology stands out among CSO's for major technology companies; her peers include former software developer John Stewart, CSO of Cisco Systems
, computer forensics expert Howard Schmidt
, former CSO of Microsoft
, and famed cryptographer
Whitfield Diffie
, CSO of Sun Microsystems
.
, seem to have hardened after her promotion to CSO.
At conferences, she has sharply criticized latter-day security research practices, for instance referring to vulnerability markets as "morally reprehensible".
During her tenure, Oracle's has weathered a turbulent engagement with the security research community. Davidson was publicly ridiculed by David Litchfield
, a notable vulnerability researcher whose company, Next Generation Security, had business relationships both with Oracle and Microsoft's SQL Server product team. In a widely cited Bugtraq posting, picked up by the mainstream trade press, Litchfield called on Oracle to replace Davidson, pointing to a series of delayed or ineffective security patches in Oracle's database server as evidence of "categorical failure".
Davidson and Oracle have since attempted to mend fences with the research community, an effort that may paid off; Litchfield has since written more positively about Oracle, even going so far as to congratulate Davidson for "turning around" Oracle's "lumbering stegosaurus".
and San Francisco, California
. She is a student of languages, including Hebrew, Classical Greek, and Hawaiian, and of military history (reporting on her blog that she consumes one book of military history every week).
Chief security officer
A chief security officer is a corporation's top executive who is responsible for security.The CSO generally serves as the business leader responsible for the development, implementation and management of the organization’s corporate security vision, strategy and programs...
of Oracle Corporation
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
, the second largest software company in the world. Her outspoken views regarding software security
Application security
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...
and role as security spokesperson for a leading database product
Database management system
A database management system is a software package with computer programs that control the creation, maintenance, and use of a database. It allows organizations to conveniently develop databases for various applications by database administrators and other specialists. A database is an integrated...
have made hers an important voice among computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
practitioners. She has testified
Testimony
In law and in religion, testimony is a solemn attestation as to the truth of a matter. All testimonies should be well thought out and truthful. It was the custom in Ancient Rome for the men to place their right hand on a Bible when taking an oath...
on Oracle's behalf before the U.S. Congress
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
, and is routinely cited in industry and business publications
Publishing
Publishing is the process of production and dissemination of literature or information—the activity of making information available to the general public...
.
Early life
Mary Ann Davidson was raised in a Naval tradition. Her father, a veteran of World War IIWorld War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
and Korea
Korean War
The Korean War was a conventional war between South Korea, supported by the United Nations, and North Korea, supported by the People's Republic of China , with military material aid from the Soviet Union...
, was the academic dean at the US Naval Academy. Davidson attended the Severn School
Severn School
Severn School was founded in 1914 by Rolland M. Teel in Severna Park, Maryland, as a preparatory school for the United States Naval Academy. Today, Severn is a day school enrolling boys and girls in grades 6 through 12...
, a preparatory high school for the Naval Academy, graduating in 1976.
After obtaining a Bachelors in Mechanical Engineering from the University of Virginia
University of Virginia
The University of Virginia is a public research university located in Charlottesville, Virginia, United States, founded by Thomas Jefferson...
, she was directly commissioned into the US Navy Civil Engineering Corps, eventually joining her sister Diane in a Reserve Naval Mobile Construction Battalion, an unusual assignment for a woman at the time.
During her service she was awarded the Navy Achievement Medal.
Davidson later obtained an MBA from the Wharton School at the University of Pennsylvania.
Career at Oracle
Davidson joined Oracle in 1988, as a product managerProduct Manager
A product manager investigates, selects, and develops products for an organization, performing the activities of product management.A product manager considers numerous factors such as intended demographic, the products offered by the competition, and how well the product fits with the company's...
in Oracle's financial software business unit.
Security at Oracle
Davidson's public involvement in computer security dates to 1993, when she took a position as product marketing manager in Oracle's secure systems business unit. During the same time period, she contributed to Usenet and the RISKS DigestRISKS Digest
The RISKS Digest or Forum On Risks to the Public in Computers and Related Systems is an online periodical published since 1985 by the Committee on Computers and Public Policy of the Association for Computing Machinery. The editor is Peter G. Neumann....
.
By 2001, 13 years into her career at Oracle, she had been promoted to director. Her function in these roles primarily involved advocacy for information security inside of Oracle and to customers.
Testimony before Congress
In November 2001, Davidson was invited to appear before the US House Subcommittee on Commerce, Trade, and Consumer Protection, alongside executives from SAICSAIC
The acronym SAIC can stand for:*Science Applications International Corporation*School of the Art Institute of Chicago*Shanghai Automotive Industry Corporation*Shanghai Aviation Industrial Company*Special Agent in Charge, acronym used by some U.S...
, Internet Security Systems
Internet Security Systems
IBM Internet Security Systems is a security software provider which was founded in 1994 as Internet Security Systems, and is often known simply as ISS or ISSX...
,
EDS
EDS
- Education :* Educational specialist , a terminal academic degree in the U.S.* Episcopal Divinity School, an Episcopal Seminary in Cambridge, Massachusetts* Evansville Day School, an independent college-prep school in Evansville, Indiana- Politics :...
, and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
.
In her testimony, she argued that following September 11, information systems posed as an attractive target for terrorist attacks. She asserted that commercial enterprises were still "catching up" to the U.S. Government in security awareness, and that enterprises needed reliably third-party standards for security in order to make better purchasing decisions.
She entreated technology vendors to "think like hackers", and, in questioning, admitted that she didn't "think you can ever be 100 percent sure and there is no bulletproof security". Perhaps in contrast to statements she would make later in her career at Oracle, she lauded security researchers, claiming "98 percent of the people that we deal with are inquisitive, talented and [...] really want to test something".
Chief Security Officer
In December 2001, in the wake of Oracle CEO Larry EllisonLarry Ellison
Lawrence Joseph "Larry" Ellison is the co-founder and chief executive officer of Oracle Corporation, one of the world's leading enterprise software companies. As of 2011, he is the third wealthiest American citizen, with an estimated worth of $33 billion.- Early life :Larry Ellison was born in the...
's infamous claim that the Oracle database was "Unbreakable", Davidson was named Chief Security Officer of Oracle Corporation, serving as Oracle's official security spokesperson and managing product security assessments and incident response.
Davidson immediately set about mitigating the brashness of Ellison's claim.
She wrote in a white paper that "Unbreakable" stood for a process and not a guarantee.
Later, she told the trade press that her first reaction to Oracle's marketing claim was, "What idiot dreamed this up?".
Regardless, Oracle's timing had been inopportune. In the midst of a renaissance in vulnerability research (coinciding with the refinement of heap
Heap overflow
A heap overflow is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data...
and integer overflow
Integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow...
s) and drastically increased attention to the security of enterprise technology, Oracle was targeted by security researchers. The subsequent discovery of numerous Oracle vulnerabilities led to the company being harshly criticized by security practitioners and pundits.
Davidson has since become an advocate for software security
Software Security Assurance
Software security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software...
. This principle, pioneered by Microsoft with the Security Development Lifecycle (SDL), argues that information security problems are best solved by improving the quality of vendor code, rather than by application of after-market security countermeasures. In particular, Davidson is a proponent of source code security scanners in general, and Fortify Software
Fortify Software
Fortify Software is a San Mateo, California-based software vendor. The company was founded in 2003 and provides products that identify and remove security vulnerabilities from software applications. Its initial funding was provided by Kleiner, Perkins, Caufield & Byers. In September, 2010, the...
in particular; her public statements on Fortify's behalf constituted a notable early success for the source code scanning market.
Though not unusual for CSO's in the Fortune 500
Fortune 500
The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks the top 500 U.S. closely held and public corporations as ranked by their gross revenue after adjustments made by Fortune to exclude the impact of excise taxes companies collect. The list includes publicly and...
at large, Davidson's lack of formal training in technology stands out among CSO's for major technology companies; her peers include former software developer John Stewart, CSO of Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
, computer forensics expert Howard Schmidt
Howard Schmidt
Howard A. Schmidt is the Cyber-Security Coordinator of the Obama Administration, operating in the Executive Office of the President of the United States.One of Schmidt's leading policy objectives is the development of "National Strategy for...
, former CSO of Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, and famed cryptographer
Whitfield Diffie
Whitfield Diffie
Bailey Whitfield 'Whit' Diffie is an American cryptographer and one of the pioneers of public-key cryptography.Diffie and Martin Hellman's paper New Directions in Cryptography was published in 1976...
, CSO of Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
.
Controversy
Though her early career at Oracle seems marked by tolerance and appreciation for independent vulnerability research, her attitudes towards security research, and particularly full disclosureFull disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
, seem to have hardened after her promotion to CSO.
At conferences, she has sharply criticized latter-day security research practices, for instance referring to vulnerability markets as "morally reprehensible".
During her tenure, Oracle's has weathered a turbulent engagement with the security research community. Davidson was publicly ridiculed by David Litchfield
David Litchfield
David Litchfield is a renowned security expert from the United Kingdom, who focuses on the discovery and publication of computer security vulnerabilities with a special focus on database server software...
, a notable vulnerability researcher whose company, Next Generation Security, had business relationships both with Oracle and Microsoft's SQL Server product team. In a widely cited Bugtraq posting, picked up by the mainstream trade press, Litchfield called on Oracle to replace Davidson, pointing to a series of delayed or ineffective security patches in Oracle's database server as evidence of "categorical failure".
Davidson and Oracle have since attempted to mend fences with the research community, an effort that may paid off; Litchfield has since written more positively about Oracle, even going so far as to congratulate Davidson for "turning around" Oracle's "lumbering stegosaurus".
Personal life
Davidson is an avid surfer and skiier. She divides her time between Ketchum, IdahoKetchum, Idaho
Ketchum is a city in Blaine County, Idaho, United States, in the central part of the state. The population was 3,003 at the 2000 census. It is in the Wood River Valley, adjacent to Sun Valley; the two communities share many resources and both sit in the same valley beneath Bald Mountain, with its...
and San Francisco, California
San Francisco, California
San Francisco , officially the City and County of San Francisco, is the financial, cultural, and transportation center of the San Francisco Bay Area, a region of 7.15 million people which includes San Jose and Oakland...
. She is a student of languages, including Hebrew, Classical Greek, and Hawaiian, and of military history (reporting on her blog that she consumes one book of military history every week).
External links
- http://blogs.oracle.com/maryanndavidson/ (Davidson's official Oracle blog)