Oracle Fortifies Application Security At The Source

Oracle had previously relied on source-code analysis tools developed in-house but decided to work with a third party.
In June 2004, Kittrell, N.C., Oracle Consulting firm Burleson Consulting and the U.S. Computer Emergency Readiness Team, or US-CERT, noted a SQL injection vulnerability in E-business Suite 11i, versions 11.5.1 through 11.5.8, where an attacker could insert a SQL statement or fragment into an input field on a Web page or form and compromise, invalidate, or initiate unauthorized data transmission from that application. A few months later, US-CERT issued an alert pertaining to vulnerabilities in the Oracle database server, application server, and Enterprise Manager software, the most serious allowing remote attackers to execute arbitrary code on an affected system and corrupt data.

Many vulnerabilities exist because programmers don't consider how a hacker might try to break their code. Years ago, for example, it might not have occurred to a Web programmer that an attacker would exploit a field in a database query to launch a buffer overflow or SQL injection attack. "The earlier you find problems like this, the less expensive they are to fix," says Fortify Software CEO John Jack.

Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. The software sits on a company's application development build server, which developers use to compile their code. Source Code Analysis scans the code and alerts the developer of any potential problems.

Source-code tools aren't new; earlier incarnations tested programs to make sure that areas of code executed according to plan so that users got the experience that vendors promised. This new generation of analysis technology, including software from Fortify, Agitar Software's Agitator, Parasoft's JTest and C++test, and Watchfire's AppScan, are tuned specifically to address security concerns during the application development and testing phases. "Instead of looking at what the code should be doing, we look at what the code should not be doing," Jack says.

Oracle and Fortify have been working together over the past 12 months to scale Source Code Analysis to run on Oracle's large code base. Oracle is by far Fortify's largest customer, although the company's customer base also includes Macromedia Inc., which on Dec. 5 was bought by Adobe Systems Inc.

Both Oracle and Fortify say that the cost of implementing Source Code Analysis will not add to the cost of Oracle's software and will ultimately save customers money by cutting down on the amount of patches that must later be implemented.