Developing secure software requires consistently applied methodologies across the organization; methodologies that conform to stated policies, objectives, and principles. Oracle’s objective is to produce secure code. To that end, Oracle requires that all of development abide by secure coding principles that have been documented and maintained to remain relevant.
To ensure that Oracle products are developed with consistently high security assurance, and to help developers avoid common coding mistakes, Oracle employs formal Secure Coding Standards.
Oracle Secure Coding Standards are a roadmap and guide for developers in their efforts to produce secure code. They discuss general security knowledge areas such as design principles, cryptography and communications security, common vulnerabilities, etc., and provide specific guidance on topics such as data validation, Common Gateway Interface, user management, and more.
All Oracle developers must be familiar with these standards and apply them when designing and building products. The coding standards have been developed over a number of years and incorporate best practices as well as lessons learned from continued vulnerability testing by Oracle’s internal product assessment team. Oracle ensures that developers are familiar with its coding standards. The Secure Coding Standards are a key component of Oracle Software Security Assurance and adherence to the Standards is assessed and validated throughout the supported life of all Oracle products.
Oracle Secure Coding Standards and related guidance have evolved and expanded over time to encompass emerging technologies such as Artificial Intelligence and Machine Learning (AI/ML) and address the most common issues affecting Oracle code, new threats as they are discovered, and new customer use cases for Oracle technology. They are integral to language-specific standards such as C/C++, Java, Python, and others, and a key cornerstone to Oracle’s Software Security Assurance programs and processes.
All staff at Oracle are required to take security training. Additionally, technical development staff up to and including vice presidents, who are involved in building, maintaining, customizing or testing product code are required to take an OSSA awareness course. Additional highly technical training on secure coding techniques is available. This ongoing education helps ensure that all development staff are aware of Oracle’s high standards for producing secure products.
Additionally, Oracle has adapted its secure coding principles and created training material for use by its consulting and services organizations when they are engaged in producing code on behalf of customers.