Using Fortify products "is one of many things we do to develop secure products," Mary Ann Davidson, Oracle's chief security officer, said in an interview. "We do think this is a strong complement to what we're doing."
Until recently, Oracle used tools developed in-house to find common vulnerabilities such as SQL injection and buffer overflow errors in its code, but did not use a tool as comprehensive as Fortify's Source Code Analysis product, Davidson said. "This is really going to help find things faster," she said.
The company's other efforts include secure coding standards, as well as employee training on security and product security audits, Davidson said.
Fortify's Source Code Analysis product sifts through source code and looks for possible vulnerabilities. The software checks for more than 65 types of flaws and typically runs on the server used by developers to "check in" completed chunks of code. It can also run on the developer's desktop, according to Fortify.
"It helps companies like Oracle discover and remediate errors in the code throughout the development process," Fortify Chief Executive Officer John Jack said.
Security researcher David Litchfield, co-founder of U.K.-based Next Generation Security Software and one of Oracle's most vocal critics, sees Oracle's adoption of Fortify's technology as "a great step in the right direction." However, Litchfield cautions that code checkers are not a cure-all.
"By far the best approach is to code securely in the first instance," he said. "Source code scanning tools should be the last line of defense, not an excuse for lazy and insecure programming."
Oracle has started using Fortify's technology in the development of its database and application server, as well as its Collaboration Suite and Enterprise Manager products, Davidson said. The code checker will not be used in the development of the company's enterprise applications products, which include Oracle's E-Business Suite as well as the software it acquired through acquisitions such as PeopleSoft. The takeover of Siebel Systems is still pending.
"We have not licensed it for applications," Davidson said. "There is not as clear a benefit today. It goes to how much of our code is developed in particular languages and what Fortify's strengths are."
Join the conversation
Comment replyThe posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Join the conversation