[ISN] Oracle turns to Fortify to secure source code

InfoSec News isn at c4i.org
Tue Dec 27 08:20:09 UTC 2005


Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.networkworld.com/news/2005/122005-oracle-fortify.html
: 
: By Stacy Cowley
: 
: Start-up source-code security technology developer Fortify Software 
: scored a major triumph on Tuesday as Oracle announced plans to use 
: Fortify's tools to seek out holes in Oracle's database and middleware 
: software.
: 
: Oracle Chief Security Officer Mary Ann Davidson says she searched for 
: years for automated tools to examine Oracle's source code but had been 
: unimpressed with the available products. Fortify was the first company 
: to listen to Oracle's description of its development process and to 
: tailor its software to meet Oracle's needs, Davidson says.

Oracle should have taken the money they paid Davidson and used it to
hire humans who can perform code review. Better bang for the buck.

: Oracle has a code base of more than 30 million lines, and is the first 
: top-tier commercial software developer to sign on as a Fortify customer. 
: Other Fortify clients include a number of financial services companies, 
: as well as Flash maker Macromedia. Identity management software 

I have not used Fortify's products, nor heard good/bad about them.
But, using Macromedia as part of a sales pitch is a little damning.
Looking at Macromedia vulnerabilities in Nov/Dec of 2005:

Macromedia JRun Server URL Request Overflow - Dec 15, 2005
Macromedia JRun Server Crafted URL Application Source Disclosure - Dec 15, 2005
Macromedia ColdFusion JRun Clustered Sandbox Security Bypass - Dec 15, 2005
Macromedia ColdFusion CFMAIL Tag Subject Field Arbitrary File Access - Dec 15, 2005
Macromedia ColdFusion Crafted API Administrator Password Hash Disclosure - Dec 15, 2005
Macromedia Flash Media Server Administration Service Crafted Packet Remote DoS - Dec 7, 2005
Macromedia Flash/Breeze Communication Server Malformed RTMP Data DoS - Nov 15, 2005
Macromedia Contribute Publishing Server Shared FTP Credential Weak Password Encryption - Nov 15, 2005
Macromedia Flash Player Flash.ocx ActionDefineFunction Function Arbitrary Code Execution - Nov 7, 2005
Macromedia Flash Player Flash.ocx Unspecified Function Arbitrary Code Execution - Nov 4, 2005

: Oracle hopes by eliminating vulnerabilities before code turns into 
: shipped product, it will reduce the number of patches it needs to issue 
: and improve its customers' security.
: 
: "There's lots of Band-Aid products out there that protect against 
: attacks. You wouldn't need so many Band-Aids if you could actually have 
: a vaccine," Davidson says.

Davidson sounds like a bad politician. How long has she been in the
industry?

: Oracle, which once used "unbreakable" as its brand slogan, has taken a 
: few hits on its security reputation this year after issuing a spate of 
: critical patches. A German security firm published details of several 
: high-risk vulnerabilities in Oracle's software after the firm said it 
: tried for years to draw Oracle's attention to the security holes.

A few hits? Try *hundreds* of vulnerabilities in 2005 alone. Try being
the worst database products for security your money can buy. Try
having the worst turnaround in addressing vulnerabilities (even
trivial XSS) in years.





More information about the ISN mailing list