Oracle Opens the Book on Its Recipe for Unbreakable Code

 
 
By Lisa Vaas  |  Posted 2006-01-24 Email Print this article Print
 
 
 
 
 
 
 

The company has been facing growing criticism about poor quality patches and known vulnerabilities left unpatched for too long. At customers' urging, it's finally going public with how it's working to clean up its code crunching, particularly now that it'

Oracle Corp. is sick of it. Microsoft Corp. has been strutting with its newfound security street cred. Take its developers—theyre able to quote chapter and verse of the companys SDL (Security Development Lifecycle) blueprint for software creation. But what about Oracle? Why dont we hear about securing coding from the database king?
The company has been facing growing criticism about poor quality patches and known vulnerabilities left unpatched for too long. Heres a typical complaint, from Dan Downing, vice president of testing services at business applications testing, hosting and managing provider Mentora: "Part of the reason there are so many [Oracle] patches is directly reflective of the poor quality of the code," he said.
"If an application is mature—and every piece of software goes through this cycle at some point—there are no bugs, or few bugs that surface," he said. This comes after a history of patches that havent installed correctly, patches to patch patches, and then patches to patch the patches that were released to patch patches. Click here to read about a security researchers take on the holes left unpatched after Oracles October cumulative patch release.
Oracle has had a no-comment, protect-our-customers policy on security issues. But its loyal customers are fed up with hearing Microsoft lauded while Oracles own secure coding practices are more or less black-box. Oracle is sick of it. So now its talking. John Heimann is the director of security program management at Oracle. He reports to Chief Security Officer Mary Ann Davidson and does the front-end work of security: setting standards, training, enforcing security checklists, determining secure configurations, working on secure-by-default initiatives and coordinating with marketing security products. In a daylong tour of Oracle security given to eWEEK on Jan. 11, Heimann pointed out that the type of secure coding Microsoft is blabbing about nowadays had to be in place from the get-go with Oracle, who counts among its longtime customers numerous government agencies, plus commercial companies such as General Electric, Alcoa, Computer Associates and the like. "From day one we were in a multiuser environment," Heimann said. "We had to worry about authenticating users, controlling what users could see, from a very early stage in our product. Starting with Oracle 6, I think, we had our first real commercial database release. We had multiuser authorization, authentication, access and control." How its maintained that security, for better or worse, is of course multifaceted. Most recently, Oracle is talking secure-by-default initiatives, for one thing. The company is also solidifying its volume code testing. In December, Oracle announced it would use static code analysis technology from Fortify Software Inc. to hunt for bugs in C, C++, PL/SQL and Java as part of a program to improve checking for security holes during development, instead of trying to patch holes after the products out the door. The Fortify tool had to stand up to brutal load. Oracles database alone contains between 40 million to 50 million lines of code. The tool had to scale to spit out results in a reasonable amount of time and be able to work on parallel machines. "We want to get an answer in a day, not find out that two or three people have modified the product" while its dragged through testing, said Mark Fallon, senior manager of software development. Fortify will be used across all product stacks and was being centrally installed this week. Next Page: Oracle evaluates automatic black test.



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel