Security round-up: Symantec to sell Veritas

It’s been a tumultuous week so far for the security industry with Symantec announcing a multibillion-dollar deal to sell its Veritas unit, Oracle’s CSO coming under fire from security researchers and experts expressing concerns over new controls on exports of intrusion equipment in the UK.

Symantec to sell Veritas for US$8bn

Symantec announced it has reached an agreement to sell its Veritas data storage and recovery business to a group of investors led by The Carlyle Group for a hefty US$8 billion ($11.03 billion).

The security company had announced in October that it planned to separate into two publicly traded companies, spinning off Veritas into a dedicated information management business.

In a blog post commenting on the planned Veritas sale, Symantec CEO Michael Brown said while the sale represents a divergence from the spin-off plan, it will have a similar outcome.

“While the sale of Veritas to The Carlyle Group will result in a different ownership outcome than a public spin, we still have the same intent: creating two standalone businesses that will both win in their respective markets,” he said.

Oracle CSO angers security experts with blog post

Oracle has drawn the ire of the security community following the publication of a blog post from CSO Mary Ann Davidson asking customers to stop reverse engineering code to find security vulnerabilities.

The blog post, which has since been deleted but has been preserved online, states that customers who reverse engineer code are in violation of their licence agreement.

Davidson urged customers and researchers not to “waste [Oracle’s] time” by reporting bugs in Oracle’s code, and said that while the company won’t ignore serious vulnerabilities discovered, the company will not follow industry trends and offer bounties for exploit reports.

Oracle was forced to distance itself from the post after security experts took to social media to strongly criticise Davidson and the post. Security experts regularly scan companies’ software code for vulnerabilities, and restricting their ability to reverse-engineer code would compromise these efforts.

UK controls on exports of intrusion software may harm the industry

The security industry has also expressed concerns over new export controls on intrusion hardware and software introduced in the UK.

In a notice, the nation’s Export Control Organisation asserted it will require companies seeking to sell intrusion software overseas to obtain a licence, although there are exceptions for mass-market software.

The ECO has asserted that the rules are being introduced due to concerns over the use of the tools to compromise human rights as well as national security concerns, and not to prevent export of hardware and software for security testing or law enforcement purposes.

But Drawbridge Networks CTO Tom Cross told IT News that the requirement will create problems for security penetration testers, and potentially for security researchers and antivirus companies as well.

Image courtesy of Martin McKeay under CC