Oracle Fortifies Application Security At The Source - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Oracle Fortifies Application Security At The Source

Oracle had previously relied on source-code analysis tools developed in-house but decided to work with a third party.

Oracle, which once claimed its applications were "unbreakable," plans to announce Tuesday that it is using Fortify Software's Source Code Analysis software to analyze Oracle's application server, collaboration suite, database server, and identity management software, among others, for potential vulnerabilities as new versions of these products are built.

Oracle had previously relied on source-code analysis tools developed in house but decided to work with a third party, in this case Fortify, rather than continue to develop specialized tools. The company chose Fortify because other products on the market couldn't handle analyzing a code base the size of Oracle's, says company chief security officer Mary Ann Davidson. Not only does Oracle's technology stack consist of more than 30 million lines of code, the stack is constantly changing as the company develops new versions of software.

Fortify's software also proved more accurate than other code-analysis tools Oracle tested. "False positives have been the bane of my existence," Davidson says. "A high false positive rate actually makes the security problem worse; you have programmers chasing their tails."

Oracle's E-business suite of products are not a good fit with Fortify's technology at this time because they are written in a number of different languages, particularly those that came to Oracle through acquisition, such as PeopleSoft and Siebel. Davidson says Oracle is considering applying either Fortify or some other code analysis product to its E-business applications, but that it is currently focused on its technology stack.

The use of Fortify won't impact Oracle's current quarterly cycle for releasing patches, although Davidson is hoping there will be fewer patches to release as time progresses. "Even developers who understand security will occasionally make a mistake," she says. "Patches are expensive for us to issue and for customers to apply. What you want to do is avoid this in the long run. Won't be able to eliminate them? Probably not."

Oracle plans to apply Fortify Source Code Analysis not just to new development projects but also to existing products the company still supports. "The worst thing for a vendor is if a hacker breaks into an existing widely deployed product, and you don't have a patch," Davidson says.

Oracle's myth of being "unbreakable" was dispelled a few years ago, shortly after the company first made the claim. In 2003, the company acknowledged that a security flaw in the Oracle9i Release 2 database could be exploited by "a knowledgeable and malicious user" to launch a denial-of-service attack or capture an active user session of the database server.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll