Oracle Fortifies Application Security At The Source - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Oracle Fortifies Application Security At The Source

Oracle had previously relied on source-code analysis tools developed in-house but decided to work with a third party.

Oracle, which once claimed its applications were "unbreakable," plans to announce Tuesday that it is using Fortify Software's Source Code Analysis software to analyze Oracle's application server, collaboration suite, database server, and identity management software, among others, for potential vulnerabilities as new versions of these products are built.

Oracle had previously relied on source-code analysis tools developed in house but decided to work with a third party, in this case Fortify, rather than continue to develop specialized tools. The company chose Fortify because other products on the market couldn't handle analyzing a code base the size of Oracle's, says company chief security officer Mary Ann Davidson. Not only does Oracle's technology stack consist of more than 30 million lines of code, the stack is constantly changing as the company develops new versions of software.

Fortify's software also proved more accurate than other code-analysis tools Oracle tested. "False positives have been the bane of my existence," Davidson says. "A high false positive rate actually makes the security problem worse; you have programmers chasing their tails."

Oracle's E-business suite of products are not a good fit with Fortify's technology at this time because they are written in a number of different languages, particularly those that came to Oracle through acquisition, such as PeopleSoft and Siebel. Davidson says Oracle is considering applying either Fortify or some other code analysis product to its E-business applications, but that it is currently focused on its technology stack.

The use of Fortify won't impact Oracle's current quarterly cycle for releasing patches, although Davidson is hoping there will be fewer patches to release as time progresses. "Even developers who understand security will occasionally make a mistake," she says. "Patches are expensive for us to issue and for customers to apply. What you want to do is avoid this in the long run. Won't be able to eliminate them? Probably not."

Oracle plans to apply Fortify Source Code Analysis not just to new development projects but also to existing products the company still supports. "The worst thing for a vendor is if a hacker breaks into an existing widely deployed product, and you don't have a patch," Davidson says.

Oracle's myth of being "unbreakable" was dispelled a few years ago, shortly after the company first made the claim. In 2003, the company acknowledged that a security flaw in the Oracle9i Release 2 database could be exploited by "a knowledgeable and malicious user" to launch a denial-of-service attack or capture an active user session of the database server.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll