Within Oracle, all products and components are required to uphold product security assurance to decrease the risk of introducing security vulnerabilities. Secure development processes and practices impact every product including those gained by acquisition. At the core of Oracle's secure development practices are Oracle Secure Coding Standards, which include lessons learned from past experience.
A Lifecycle Approach to Security
Oracle secures its products throughout the various phases of the life of a product: from design and development through release. In the product definition phase, Oracle Software Security Assurance activities include product planning and developer training activities to improve knowledge of customer requirements and secure coding practices as well as awareness of security concerns. The product development phase is the one in which most of Oracle Software Security Assurance activities are focused. Oracle Software Security Assurance activities also extend to the ongoing maintenance of products after they have been released to customers.
Oracle believes that good security needs to be built in, not bolted on. Secure development starts early in the product definition phase and continues through the entire product lifecycle. Security requirements are gathered and documented early in the design stage based on two principles:
Consistency—New features should have consistent security behavior when compared to other product features.
Simplicity—A feature should not introduce a new privilege model where there is an existing privilege model unless there is an outstanding reason to do so.
Both the design and functional specifications have specific sections covering security assurance issues that a may impact a new version ranging from handling data correctly to secure configuration guidance at installation.
Common Security Modules
Some problems are best solved only once. Development teams can benefit from common security modules that save time because each team does not have to track down the kinds of subtle errors that creep into certain core features. Oracle does consolidate critical security functionality into core modules and services that are tested extensively for use across Oracle products. This ensures that different development teams do not attempt to re-invent solutions or, more importantly, create new cryptographic libraries, user repositories, or authentication schemes that have not been extensively tested or reviewed.
Customer Validation – The Security Customer Advisory Council
Oracle has established the Security Customer Advisory Council (SCAC) to validate and gather additional feedback and guidance on matters relating to the security of its products. This customer council also looks at security processes, such as Critical Patch Update (CPU) and Security Alerts, and through the years has given valuable input improving our security assurance overall. Oracle tries to ensure that all industries are represented at the SCAC, as well as all geographic areas. In addition, Oracle tries to ensure that users of all Oracle product families (and newly acquired product lines) are represented at the SCAC.
After the product is defined and design is documented, it moves to the development phase where security assurance activities continue. Ongoing reviews by product teams continue to validate compliance with Secure Coding Standards and previously documented security specifications.
Security Analysis and Testing Extensive use of testing tools by both Development and Quality Assurance teams provides ongoing feedback on the quality of the code produced during the development phase before the final product is shipped. Use spans a range of tools including static code analysis, compliance and auditing analysis, fuzzing, etc. In yet another example of how Oracle uses past experience and lessons learned to fine-tune security assurance activities, the company supplements the use of external commercial and open source tools with a number of tools that have been internally developed to address specialized requirements.
Security assessments, also called ethical hacking, consist of security testing using a structured, methodical approach carried out against an Oracle product. A security assessment looks at product architecture from a security perspective, identifies security bugs, and documents them. The goal is to identify vulnerabilities as well as educate the development group on secure coding techniques that can be applied going forward.