Oracle turns to Fortify to secure source code

Start-up source-code security technology developer Fortify Software scored a major triumph on Tuesday as Oracle announced plans to use Fortify’s tools to seek out holes in Oracle’s database and middleware software.

Oracle Chief Security Officer Mary Ann Davidson says she searched for years for automated tools to examine Oracle’s source code but had been unimpressed with the available products. Fortify was the first company to listen to Oracle’s description of its development process and to tailor its software to meet Oracle’s needs, Davidson says.

Oracle has a code base of more than 30 million lines, and is the first top-tier commercial software developer to sign on as a Fortify customer. Other Fortify clients include a number of financial services companies, as well as Flash maker Macromedia. Identity management software developer Oblix, acquired by Oracle earlier this year, was also a customer, but Davidson says Oracle’s work with Fortify predated its Oblix buy.

Fortify’s software is an integrated collection of tools that scan code for secure coding policy violations and other weaknesses. Oracle has licensed the tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software. Oracle’s application software, including its E-Business Suite and the products Oracle acquired from PeopleSoft and other vendors, is written in a variety of programming languages and isn’t a good fit for Fortify’s tools, and will not be included in the deal, Davidson says.

Oracle hopes by eliminating vulnerabilities before code turns into shipped product, it will reduce the number of patches it needs to issue and improve its customers’ security.

“There’s lots of Band-Aid products out there that protect against attacks. You wouldn’t need so many Band-Aids if you could actually have a vaccine,” Davidson says.

Oracle, which once used “unbreakable” as its brand slogan, has taken a few hits on its security reputation this year after issuing a spate of critical patches. A German security firm published details of several high-risk vulnerabilities in Oracle’s software after the firm said it tried for years to draw Oracle’s attention to the security holes.

Fortify launched last year and now has around 50 employees. Winning Oracle’s business will be a major boost to Fortify’s credibility as it looks to convince more large vendors to license its security tools.

Working with Oracle has helped Fortify refine its first-generation software and improve its tools’ performance, Fortify CEO John Jack says.

“We now have a product that scales to the largest code base,” Jack says. “It’s been a great year.”