Developing secure software requires consistently applied methodologies across the organization; methodologies that conform to stated policies, objectives, and principles. Oracle’s objective is to produce secure code. To that end, Oracle requires that all of development abide by secure coding principles that have been documented and maintained to remain relevant. Additionally, Oracle has adapted its secure coding principles for use by our consulting and services organizations when they are engaged in producing code on behalf of our customers.
To ensure that Oracle products are developed with consistently high security assurance, and to help developers avoid common coding mistakes, Oracle employs formal Secure Coding Standards.
Oracle Secure Coding Standards are a roadmap and guide for developers in their efforts to produce secure code. They discuss general security knowledge areas such as design principles, cryptography and communications security, common vulnerabilities, etc., and provide specific guidance on topics such as data validation, Common Gateway Interface, user management, and more.
All Oracle developers must be familiar with these standards and apply them when designing and building products. The coding standards have been developed over a number of years and incorporate best practices as well as lessons learned from continued vulnerability testing by Oracle’s internal product assessment team. Oracle ensures that developers are familiar with its coding standards. The Secure Coding Standards are a key component of Oracle Software Security Assurance and adherence to the Standards is assessed and validated throughout the supported life of all Oracle products.
Oracle Secure Coding Standards have evolved and expanded over time to address the most common issues affecting Oracle code, insights and lessons learned, new threats as they are discovered, and new use cases by Oracle customers. They are integral to language specific standards such as C/C++, Java, Python, and others, and a key cornerstone to Oracle’s Software Security Assurance programs and processes.
All staff at Oracle are required to take security training. Additionally, technical staff up to and including vice presidents, who are involved in building, maintaining, customizing or testing code are required to take an OSSA awareness course. Additional highly technical training on secure coding techniques is available. This ongoing education helps ensure that all staff are security aware and understand that Oracle has high standards for producing secure products.