I came across this article on eWEEK where Oracle’s security strategy, or the lack thereof, is being discussed. What is apparent is that Oracle, like many other companies who haven’t been doing much with regards to security, are now waking up to the problem of having to deal with security issues in their products, and finding out that they are lacking in several area’s to be able to effectively deal with these issues.

Back in April 2005, I wrote an article where I discussed Microsoft’s security strategy, and I predicted back then that while a few years ago Microsoft was being blamed for lack of security in their products, all the pressure everyone put on them would drive them to seriously improve the security of their products and eventually transform them into the company with the most secure software in the future, putting them way ahead of their competitors who at that time thought their products were secure enough. This is what I wrote back in April:

Because of all the constant attacks on Microsoft?s products, their products are being tested and prepared for security on a global scale unlike any other software product from any of their competitors. When their competitor?s products finally get the honor of being the victim of global virus attacks, Microsoft will be light-years ahead of them in terms of knowing how to deal with these issues and in terms of their software being able to handle such attacks. The result will be that Microsoft will have the most secure software available in the future.
At the end of the day, Microsoft will have everything to guarantee secure software out of the box (as secure as can realistically be), tools to proactively defend and detect, plus a software update infrastructure to get patches and updates to users within minutes.

And sure enough, I’m beginning to see signs that this is becoming a reality. And it is even happening sooner than I expected. From the eWEEK article:

But those outside the company worry that Oracle has not embraced security as whole-heartedly as Microsoft, which has developed company-wide systems, processes and architectures for improving the security of its products.

“From an architectural standpoint, Microsoft is ahead,” said Jon Oltsik [CQ], a senior analyst at Enterprise Strategy Group, in Milford, Mass.

“Oracle is doing a good job of addressing security in its products, but they haven’t figured out how security fits into their internal processes and overall architecture,” he said.

Despite its reputation as a security basket case, Microsoft has embraced software security as a central tenant, and has developed a consistent architecture for user authentication and access control, as well as product patch creation and distribution, he said.

Technologies like Active Directory and the Kerberos network authentication protocol are used consistently throughout Microsoft’s product suite, whereas Oracle products frequently use different technologies for access control and user management.

“Right now, Microsoft has a better story on that,” Oltsik said. The story is similar with product updates, though Oracle has made strides to streamline patch distribution with its CPU program, experts agree.

Oracle is just a start. As time passes and we head for the release of Windows Vista and other products in the next wave of Microsoft’s major software releases, there will be more companies who’re going to wake up to the fact that they’ve been sleeping all this time and have given Microsoft a head start on security and everything that is needed to guarantee it. And those companies who were the ones yelling Microsoft’s products were vulnerable and lacked security features a few years ago, thinking they could hurt Microsoft that way, are going to find out soon they’ve created a monster.

So right now, instead of buying more CRM software, Larry Ellison may want to look at buying technology to improve the security of his products.