There has been plenty of scorn about the scolding Oracle’s CSO delivered to her customers for “reverse engineering’ its code to test for security vulnerabilities. While Oracle, as usual, comes across as the “bad guy”, it is challenge most large software vendors face.
Here is the IT reality these days
a) Most IT vendors have made numerous acquisitions in the last decade. Many take years to integrate. Any prudent CIO would and should consider the separately designed, still un-integrated, un-hardened portfolio a potential security vulnerability.
b) Most IT vendors have under-delivered functionality, leading companies to customize, often heavily. Vendor support policies refuse to acknowledge such changes, and pretend their software pristine as it might be when it is shipped, gets implemented that way.
c) Most CIOs are blending hybrid on-premise/cloud models, ring-fencing around large software hubs, doing two-tier ERP, developing satellite apps etc. It is a corollary to b and larger vendors not delivering to their promise of “end-to-end suites”
In that spaghetti, I do not blame a CIO for trusting “nobody” when it comes to protecting against or investigating a breach. Or to use a Reaganism, maybe trust your larger vendors, but still verify.
It’s not just an Oracle problem. Every vendor better wake up to this reality. The larger ones will just have a tougher time accepting this reality.