Oracle Opens the Book on Its Recipe for Unbreakable Code

The company has been facing growing criticism about poor quality patches and known vulnerabilities left unpatched for too long. At customers' urging, it's finally going public with how it's working to clean up its code crunching, particularly now that it'

Oracle Corp. is sick of it.

Microsoft Corp. has been strutting with its newfound security street cred. Take its developers—theyre able to quote chapter and verse of the companys SDL (Security Development Lifecycle) blueprint for software creation.

But what about Oracle? Why dont we hear about securing coding from the database king?

The company has been facing growing criticism about poor quality patches and known vulnerabilities left unpatched for too long. Heres a typical complaint, from Dan Downing, vice president of testing services at business applications testing, hosting and managing provider Mentora: "Part of the reason there are so many [Oracle] patches is directly reflective of the poor quality of the code," he said.

"If an application is mature—and every piece of software goes through this cycle at some point—there are no bugs, or few bugs that surface," he said.

This comes after a history of patches that havent installed correctly, patches to patch patches, and then patches to patch the patches that were released to patch patches.

/zimages/5/28571.gifClick here to read about a security researchers take on the holes left unpatched after Oracles October cumulative patch release.

Oracle has had a no-comment, protect-our-customers policy on security issues. But its loyal customers are fed up with hearing Microsoft lauded while Oracles own secure coding practices are more or less black-box.

Oracle is sick of it. So now its talking.

John Heimann is the director of security program management at Oracle. He reports to Chief Security Officer Mary Ann Davidson and does the front-end work of security: setting standards, training, enforcing security checklists, determining secure configurations, working on secure-by-default initiatives and coordinating with marketing security products.

In a daylong tour of Oracle security given to eWEEK on Jan. 11, Heimann pointed out that the type of secure coding Microsoft is blabbing about nowadays had to be in place from the get-go with Oracle, who counts among its longtime customers numerous government agencies, plus commercial companies such as General Electric, Alcoa, Computer Associates and the like.

"From day one we were in a multiuser environment," Heimann said. "We had to worry about authenticating users, controlling what users could see, from a very early stage in our product. Starting with Oracle 6, I think, we had our first real commercial database release. We had multiuser authorization, authentication, access and control."

How its maintained that security, for better or worse, is of course multifaceted.

Most recently, Oracle is talking secure-by-default initiatives, for one thing.

The company is also solidifying its volume code testing. In December, Oracle announced it would use static code analysis technology from Fortify Software Inc. to hunt for bugs in C, C++, PL/SQL and Java as part of a program to improve checking for security holes during development, instead of trying to patch holes after the products out the door.

The Fortify tool had to stand up to brutal load. Oracles database alone contains between 40 million to 50 million lines of code. The tool had to scale to spit out results in a reasonable amount of time and be able to work on parallel machines.

"We want to get an answer in a day, not find out that two or three people have modified the product" while its dragged through testing, said Mark Fallon, senior manager of software development.

Fortify will be used across all product stacks and was being centrally installed this week.

Next Page: Oracle evaluates automatic black test.