Oracle to 'Fortify' its source code

Software maker is using technology from Fortify to analyze source code for potential security vulnerabilities.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Oracle, recently under fire from security researchers for the state of its product security, is further automating its bug-checking process.

The Redwood Shores, Calif.-based enterprise software maker has started using technology from Fortify Software to analyze the source code of some of its products for potential security vulnerabilities, the companies announced Tuesday.

Using Fortify products "is one of many things we do to develop secure products," Mary Ann Davidson, Oracle's chief security officer, said in an interview. "We do think this is a strong complement to what we're doing."

Until recently, Oracle used tools developed in-house to find common vulnerabilities such as SQL injection and buffer overflow errors in its code, but did not use a tool as comprehensive as Fortify's Source Code Analysis product, Davidson said. "This is really going to help find things faster," she said.

The company's other efforts include secure coding standards, as well as employee training on security and product security audits, Davidson said.

Fortify's Source Code Analysis product sifts through source code and looks for possible vulnerabilities. The software checks for more than 65 types of flaws and typically runs on the server used by developers to "check in" completed chunks of code. It can also run on the developer's desktop, according to Fortify.

"It helps companies like Oracle discover and remediate errors in the code throughout the development process," Fortify Chief Executive Officer John Jack said.

Oracle, which has marketed its products as "unbreakable," has been facing mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all.

Security researcher David Litchfield, co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics, sees Oracle's adoption of Fortify's technology as "a great step in the right direction." However, Litchfield cautions that code checkers are not a cure-all.

"By far the best approach is to code securely in the first instance," he said. "Source code scanning tools should be the last line of defense, not an excuse for lazy and insecure programming."

Oracle has started using Fortify's technology in the development of its database and application server, as well as its Collaboration Suite and Enterprise Manager products, Davidson said. The code checker will not be used in the development of the company's enterprise applications products, which include Oracle's E-Business Suite as well as the software it acquired through acquisitions such as PeopleSoft. The takeover of Siebel Systems is still pending.

"We have not licensed it for applications," Davidson said. "There is not as clear a benefit today. It goes to how much of our code is developed in particular languages and what Fortify's strengths are."