[ISN] Oracle turns to Fortify to secure source code

InfoSec News isn at c4i.org
Wed Dec 21 01:37:30 EST 2005


http://www.networkworld.com/news/2005/122005-oracle-fortify.html

By Stacy Cowley
IDG News Service
12/20/05

Start-up source-code security technology developer Fortify Software
scored a major triumph on Tuesday as Oracle announced plans to use
Fortify's tools to seek out holes in Oracle's database and middleware
software.

Oracle Chief Security Officer Mary Ann Davidson says she searched for
years for automated tools to examine Oracle's source code but had been
unimpressed with the available products. Fortify was the first company
to listen to Oracle's description of its development process and to
tailor its software to meet Oracle's needs, Davidson says.

Oracle has a code base of more than 30 million lines, and is the first
top-tier commercial software developer to sign on as a Fortify
customer. Other Fortify clients include a number of financial services
companies, as well as Flash maker Macromedia. Identity management
software developer Oblix, acquired by Oracle earlier this year, was
also a customer, but Davidson says Oracle's work with Fortify predated
its Oblix buy.

Fortify's software is an integrated collection of tools that scan code
for secure coding policy violations and other weaknesses. Oracle has
licensed the tools for its Server Technologies group, which handles
development of its database, application server, identity management
and collaboration suite software. Oracle's application software,
including its E-Business Suite and the products Oracle acquired from
PeopleSoft and other vendors, is written in a variety of programming
languages and isn't a good fit for Fortify's tools, and will not be
included in the deal, Davidson says.

Oracle hopes by eliminating vulnerabilities before code turns into
shipped product, it will reduce the number of patches it needs to
issue and improve its customers' security.

"There's lots of Band-Aid products out there that protect against
attacks. You wouldn't need so many Band-Aids if you could actually
have a vaccine," Davidson says.

Oracle, which once used "unbreakable" as its brand slogan, has taken a
few hits on its security reputation this year after issuing a spate of
critical patches. A German security firm published details of several
high-risk vulnerabilities in Oracle's software after the firm said it
tried for years to draw Oracle's attention to the security holes.

Fortify launched last year and now has around 50 employees. Winning
Oracle's business will be a major boost to Fortify's credibility as it
looks to convince more large vendors to license its security tools.

Working with Oracle has helped Fortify refine its first-generation
software and improve its tools' performance, Fortify CEO John Jack
says.

"We now have a product that scales to the largest code base," Jack
says. "It's been a great year."





More information about the ISN mailing list