Oracle maintains teams of specialized security professionals for the purpose of assessing the security strength of the company’s infrastructure, products, and services. These teams perform various levels of complementary security testing:
Oracle IT organizations are responsible for security scanning of the Oracle corporate systems and Cloud services they manage, per Oracle’s Server Security Policy and associated technology standards. All scanning tools must be approved per the Corporate Security Solution Assurance Process (CSSAP). Scan results are analyzed using a risk-based approach. Change management processes are used to address any identified issues according to risk-based prioritization, per management approval.
Information about operational security scans of Oracle’s corporate systems and cloud services is Oracle Confidential and is not shared externally.
Oracle requires that external facing systems and cloud services undergo penetration testing performed by independent security teams. Global Information Security’s Penetration Testing Team performs penetration tests and provides oversight to all lines of business in instances where other internal security teams or an approved third-party perform penetration testing activities. This oversight is designed to drive quality, accuracy, and consistency of penetration testing activities and their associated methodology. Oracle has formal penetration testing requirements which include test scope and environment definition, approved tools, findings classification, categories of exploits to attempt via automation and manual steps, and procedures for reporting results.
Penetration tests are routinely performed against Oracle cloud services and in test environments against on-premises products. Oracle’s corporate security teams monitor test execution, reporting quality and findings remediation. Before a line of business is allowed to bring a new system or cloud service into production, Oracle requires that the remediation of significant penetration test findings be completed.
Information about penetration tests of Oracle’s corporate systems and cloud services is Oracle Confidential and is not shared externally.
Ethical hacking engagements are performed by the Ethical Hacking Team (EHT), an independent group of security researchers in the Global Product Security organization.
While the EHT test reports are never disclosed externally, the team reports its findings to the corporate security architect as well as the senior leadership of the affected lines of business. In addition, the EHT team is a significant contributor to the Oracle Secure Coding Standards and periodically present abbreviated results of its findings as “lesson learned” for Oracle development.
The Mission of Oracle Labs is straightforward: identify, explore, and transfer new technologies that have the potential to substantially improve Oracle software, Oracle Cloud services, and corporate operations. Oracle Labs researchers look for novel approaches and methodologies, often taking on projects with high risk or uncertainty, or that are difficult to tackle within a product development organization.
Oracle’s commitment to R&D is a driving factor in the development of technologies that have kept Oracle at the forefront of the computer industry. Although many of Oracle's leading-edge technologies originate in its product development organizations, Oracle Labs is the sole organization at Oracle that is devoted exclusively to research.