Oracle Corporation Fortifies Its Code With Fortify SCA

The World's Largest Enterprise Software Company

Oracle is the only vendor to offer solutions for every tier of business-database, middleware, business intelligence, business applications, and collaboration. For more than 27 years, Oracle has built a reputation for delivering many of the industry's most secure solutions.

Under Oracle Software Security Assurance, security is a key requirement in all phases of specification, design and implementation. Over the years, the company had documented extensively its Secure Coding Standards, and implemented a number of in-house and third-party security tools for development. "Security is part of our corporate DNA and has been for as long as the company's been in existence," said Mary Ann Davidson, Oracle's Chief Security Officer.

The Challenge

Oracle wanted to augment its portfolio of existing tools with a commercially available automated source code security analysis tool to provide ongoing feedback to developers and allow them to detect security flaws earlier during development and fix them appropriately. "Even if you have the best developers in the world and a really good process for security, people can still make coding errors," Ms. Davidson said.

Oracle's requirements were:

• Scalability: The right product would have to be able to potentially handle the division's extremely large and complex code base to analyze the company's software across numerous platforms and languages. The requirement called for a scalable tool capable of handling multiple large code bases and development teams.
• Flexibility: Oracle Server Technologies group sought a tool that could be customized to reflect its development environment and coding practices; and the tool needed to be extensible to include the coding rules included in Oracle Secure Coding Standards.
• Precision: Developers only wanted to flag potential issues without wasting time with a large number of false positives.

• Key Challenges

  • Optimize the inspection of a massive, growing code base spanning multiple languages
  • Easily customizable to meet Oracle Server Technologies' unique security needs and complex technical environment
  • Minimize false positives and precisely pinpoint potential issues to optimize developer and security resources

The Solution: Fortify SCA

At the end of 2005, Oracle Server Technologies (ST) evaluated a number of products and selected Fortify Software's Source Code Analysis (Fortify SCA) to extend its in-house efforts to automate security testing of its technology products during development. Mark Fallon, Oracle Director of ST Release Engineering said, "We looked into a number of tools and tested them against our source base. The vast majority of them could not handle the size, scope and nature of our applications. Of all the products we tested, Fortify came closest to our technical requirements."

"Furthermore, Fortify expressed a willingness to work with us on integrating their product into our development environment, as well as future enhancements" says Mr. Fallon. "Together, we are continually refining it – making it more powerful and accurate."

The Results

Though Oracle has only recently started to work with Fortify SCA, based on its initial deployment; the company expects the following benefits:

• Enhanced Security Assurance Fortify SCA helps catch more security vulnerabilities earlier in the development cycle. "We know from process manufacturing that the earlier you fix a potential problem, the better," concludes Ms. Davidson. "The more issues you find and fix during development, the lower the lifecycle cost for both vendors and their customers."
• Comprehensive and Simplified Source Code Analysis Fortify SCA is able to quickly analyze large amounts of code – a task that would be very resource intensive and lengthy if done manually. Furthermore, during the initial evaluation, Fortify SCA also proved to be more accurate than other tools, a key requirement for developer acceptance. "False positives are the bane of security scanning tools", says Ms. Davidson, "It's not just that tracking down false positives is such a waste of time, it's that developers are not going to ever want to touch the tool again. A good tool helps developers to do the right thing, motivates them to do the right thing, and helps embed a culture of security in your development environment."
• Ongoing Developer Education and Feedback The use of Fortify SCA allows developers to receive feedback throughout the development cycle. It is this timely feedback that helps enforce the Secure Coding Standards resulting in developers consistently writing secure code. "As use progresses, and habits change, the number of issues being flagged diminishes, but these diminishing returns, are actually a benefit," said Mr. Fallon.

• Fortify Benefits

  • Increase confidence in the security of its code
  • Reinforce developers' application security training
  • Identify vulnerabilities earlier in the process

Conclusion

Oracle ST continues to extend the use of Fortify SCA and expects to be able to equip more of the company's developers with Fortify SCA. The relationship between Fortify Software and Oracle ST has been mutually beneficial. Mr. Fallon says, "Fortify has worked extensively with us...they listened to us and kept coming back and making the tool even better." John Jack, CEO of Fortify explained, "Oracle ST's feedback has been invaluable to us in refining our product and making it the strongest solution available. We started out with a cutting edge solution that won numerous technology awards, but it was the feedback from customers like Oracle that has turned Fortify SCA into the market leading solution."

About Fortify Software

Fortify Software products protect companies from today's greatest security risk: the software applications that run their businesses. Combining deep application security expertise with extensive software development experience, Fortify Software has defined the market with award-winning products that span the software development cycle. Today, Fortify Software fortifies the software for the most demanding customer deployments, including the world's largest, most varied code bases.

For more information, visit www.fortifysoftware.com.

Read more security risk management case studies.