New technology aims to lessen software bugs By Stacy Cowley and Paul Roberts Source-code security developer Fortify Software Inc. is giving Oracle Corp.’s database and middleware software a security boost with tools that seek out source-code vulnerabilities at the development stage.
Fortify’s software is an integrated collection of tools that scan code for secure coding policy violations and other weaknesses. Oracle has licensed the tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software.
Oracle, in Redwood Shores, Calif., has been searching for automated tools to examine its source code, and Fortify was the company to provide that, said Mary Ann Davidson, CSO at Oracle. Last year, Fortify unveiled two new product suites – one to inspect source code written in the C++ and Java programming languages, and the other to probe security holes in software applications.
Oracle has a code base of more than 30 million lines, and is the first top-tier commercial software developer to sign on as a Fortify customer. Other Fortify clients include Flash maker Macromedia Inc. and a number of financial services companies.
By eliminating vulnerabilities before code turns into shipped product, Oracle hopes to improve its customers’ security by reducing the number of patches it needs to issue.
“There are lots of band-aid products out there that protect against attacks. You wouldn’t need so many band-aids if you could actually have a vaccine,” Davidson said.
Oracle has taken a few hits on its security reputation last year after issuing a spate of critical patches.
Fortify said its tools help strengthen software applications by spotting and removing common vulnerabilities like buffer overflows, format string errors and unchecked input from the product code early in the development process.
Fortify uses technology called “extended static checking” that analyzes the properties of software code rather than the behavior of finished program, said Brian Chess, chief scientist at Fortify.
Most source code analysis products work by trying to “stimulate” finished software applications with long lists of data and produce an invalid response.
Extended static checking allows Fortify’s tools to enumerate all the paths in computer code that can take action or “execute,” quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, Chess said.