Oracle Corp. said in a statement that the company will use static code analysis technology from Fortify Software Inc. to hunt for bugs in its products as part of a program to improve checking for security holes during development.
The deal will integrate Fortifys Source Code Analysis product into the development process for Oracles server technologies.
The technology will scan more than 30 million lines of the companys code and could reduce the number of security holes that can be exploited in the companys products, according to Oracle CSO Mary Ann Davidson.
Oracle has licensed Fortifys software for use with the Oracle Database Server, Application Server, Enterprise Management, Collaboration Suite and identity management products, Davidson said.
The product uses static code analysis to find buffer overflows, heap overflows and other common security holes in code under development, said John M. Jack, CEO of Fortify.
Terms of the deal were not disclosed, but Oracle will be the largest ISV (independent software vendor) out of around 40 that use Fortifys product, said Jack.
Oracle picked Fortify because the products produced relatively few false hits during code scans and could be used on around 30 million lines of code, Davidson said.
The deal with one of the worlds largest software makers is a sign that software security is becoming “mainstream and real,” Jack said.
The deal also marked a concession on the part of Oracle, where CEO Larry Ellison has chided Microsoft for its failures on the security front and boasted in 2001 that Oracles software was “unbreakable” by hackers.
In a statement Tuesday, it was Oracle donning a mantle that Microsoft has worn in recent years by saying it will integrate Fortifys technology into Oracles “secure development lifecycle.”
Thats a term Microsoft popularized in describing the process the company adopted to improve the security of its products as part of the company-wide Trustworthy Computing initiative.
Oracle may not have used the term “secure development lifecycle” before, but the company has had a secure development process for years, Davidson said.
“Weve had Oracle secure coding standards, training for developers, ethical hacking teams.”
Though usually associated with Microsoft, the term applies equally well to what Oracle is doing.
“I think [“secure development lifecycle”] is a standard term,” Davidson said.
Regardless of the terminology, Davidson said she is happy to talk about the concept of security reviews during development, and plans to expand the application of secure coding practices within Oracle and among customers who use the companys technology.
“One thing I hope our customers get out of this, in a way, is that its a good thing to use as part of the development process. Id like to see the use of these types of tools become part of industry practice,” she said.