The Redwood Shores, California-based enterprise software maker has started using technology from Fortify Software to analyse the source code of some of its products for potential security vulnerabilities, the companies announced on Tuesday.
Using Fortify products "is one of many things we do to develop secure products," Mary Ann Davidson, Oracle's chief security officer, said in an interview. "We do think this is a strong complement to what we're doing."
Until recently, Oracle used tools developed in-house to find common vulnerabilities such as SQL injection and buffer overflow errors in its code, but did not use a tool as comprehensive as Fortify's Source Code Analysis product, Davidson said. "This is really going to help find things faster," she said.
The company's other efforts include secure coding standards, as well as employee training on security and product security audits, Davidson said.
Fortify's Source Code Analysis product sifts through source code and looks for possible vulnerabilities. The software checks for more than 65 types of flaws and typically runs on the server used by developers to "check in" completed chunks of code. It can also run on the developer's desktop, according to Fortify.
"It helps companies like Oracle discover and remediate errors in the code throughout the development process," Fortify Chief Executive Officer John Jack said.
Oracle, which has marketed its products as "unbreakable," has been facing mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all.
Security researcher David Litchfield, co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics, sees Oracle's adoption of Fortify's technology as "a great step in the right direction." However, Litchfield cautions that code checkers are not a cure-all.
"By far the best approach is to code securely in the first instance," he said. "Source code scanning tools should be the last line of defence, not an excuse for lazy and insecure programming."
Oracle has started using Fortify's technology in the development of its database and application server, as well as its Collaboration Suite and Enterprise Manager products, Davidson said. The code checker will not be used in the development of the company's enterprise applications products, which include Oracle's E-Business Suite as well as the software it acquired through acquisitions such as PeopleSoft. The takeover of Siebel Systems is still pending.
"We have not licensed it for applications," Davidson said. "There is not as clear a benefit today. It goes to how much of our code is developed in particular languages and what Fortify's strengths are."
Those kinds of automated checks should only be relied on as a last line of defense, as they are never fool proof. If programmers become too reliant, many of them will become complacent for sure. I've seen it many times. Having said that, its still wise to use every tool at your disposal to improve software quality, if you can afford it (Fortify seems quite pricey).
We use Rational Purify to weed out things like memory leaks in our C++ code, but often we don't use it unless we notice a problem in testing. Sometimes just before a final release we might run it aswell, but we steer clear of using it constantly during development.