Oracle Fortifies Application Security At The Source - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Oracle Fortifies Application Security At The Source

Oracle had previously relied on source-code analysis tools developed in-house but decided to work with a third party.

Oracle, which once claimed its applications were "unbreakable," plans to announce Tuesday that it is using Fortify Software's Source Code Analysis software to analyze Oracle's application server, collaboration suite, database server, and identity management software, among others, for potential vulnerabilities as new versions of these products are built.

Oracle had previously relied on source-code analysis tools developed in house but decided to work with a third party, in this case Fortify, rather than continue to develop specialized tools. The company chose Fortify because other products on the market couldn't handle analyzing a code base the size of Oracle's, says company chief security officer Mary Ann Davidson. Not only does Oracle's technology stack consist of more than 30 million lines of code, the stack is constantly changing as the company develops new versions of software.

Fortify's software also proved more accurate than other code-analysis tools Oracle tested. "False positives have been the bane of my existence," Davidson says. "A high false positive rate actually makes the security problem worse; you have programmers chasing their tails."

Oracle's E-business suite of products are not a good fit with Fortify's technology at this time because they are written in a number of different languages, particularly those that came to Oracle through acquisition, such as PeopleSoft and Siebel. Davidson says Oracle is considering applying either Fortify or some other code analysis product to its E-business applications, but that it is currently focused on its technology stack.

The use of Fortify won't impact Oracle's current quarterly cycle for releasing patches, although Davidson is hoping there will be fewer patches to release as time progresses. "Even developers who understand security will occasionally make a mistake," she says. "Patches are expensive for us to issue and for customers to apply. What you want to do is avoid this in the long run. Won't be able to eliminate them? Probably not."

Oracle plans to apply Fortify Source Code Analysis not just to new development projects but also to existing products the company still supports. "The worst thing for a vendor is if a hacker breaks into an existing widely deployed product, and you don't have a patch," Davidson says.

Oracle's myth of being "unbreakable" was dispelled a few years ago, shortly after the company first made the claim. In 2003, the company acknowledged that a security flaw in the Oracle9i Release 2 database could be exploited by "a knowledgeable and malicious user" to launch a denial-of-service attack or capture an active user session of the database server.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll