Oracle secures source code

New technology aims to lessen software bugs By Stacy Cowley and Paul Roberts Source-code security developer Fortify Software Inc. is giving Oracle Corp.’s database and middleware software a security boost with tools that seek out source-code vulnerabilities at the development stage.

Fortify’s software is an integrated collection of tools that scan code for secure coding policy violations and other weaknesses. Oracle has licensed the tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software.

Oracle, in Redwood Shores, Calif., has been searching for automated tools to examine its source code, and Fortify was the company to provide that, said Mary Ann Davidson, CSO at Oracle. Last year, Fortify unveiled two new product suites – one to inspect source code written in the C++ and Java programming languages, and the other to probe security holes in software applications.

Oracle has a code base of more than 30 million lines, and is the first top-tier commercial software developer to sign on as a Fortify customer. Other Fortify clients include Flash maker Macromedia Inc. and a number of financial services companies.

By eliminating vulnerabilities before code turns into shipped product, Oracle hopes to improve its customers’ security by reducing the number of patches it needs to issue.

“There are lots of band-aid products out there that protect against attacks. You wouldn’t need so many band-aids if you could actually have a vaccine,” Davidson said.

Oracle has taken a few hits on its security reputation last year after issuing a spate of critical patches.

Fortify said its tools help strengthen software applications by spotting and removing common vulnerabilities like buffer overflows, format string errors and unchecked input from the product code early in the development process.

Fortify uses technology called “extended static checking” that analyzes the properties of software code rather than the behavior of finished program, said Brian Chess, chief scientist at Fortify.

Most source code analysis products work by trying to “stimulate” finished software applications with long lists of data and produce an invalid response.

Extended static checking allows Fortify’s tools to enumerate all the paths in computer code that can take action or “execute,” quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, Chess said.

QuickLink 069994

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now