Oracle’s goal is to ensure that Oracle's products, and the systems that leverage those products, remain as secure as possible. Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance is Oracle's methodology for building security into the design, build, testing, and maintenance of its products.
Under the leadership of Oracle’s Chief Security Officer, Global Product Security promotes the use of Oracle Software Security Assurance standards throughout Oracle, acts as a central resource to help development teams improve the security of their products, and handles specialized security functions.
The Oracle software technology stack is diverse. Development organizations retain the ownership of the code they developed by maintaining specialized security resources with deep knowledge of the security architecture of their products.
In order to foster this security community within Oracle, Global Product Security has implemented formal programs for the training of security personnel and has dedicated staff supporting the security community across development. This dotted-line approach enables a strong security expertise to be present throughout each development organization, and promotes the timely adaptation to security trends in these organizations.
Security Leads are individuals responsible for the adoption of Oracle Software Security Assurance policies and practices within their respective business units.
Assigned by their respective Security Lead, Security Points of Contact (SPOCs) are responsible for the tactical implementation of Oracle Software Security Assurance at the product level.
Security Leads and Backup Leads: | over 150 |
Security Points of Contact: | over 1,700 |
Oracle's Cryptography Review Board defines and promotes cryptography-related technical standards for Oracle products and services. The group is primarily responsible for making technical decisions and authoring internal standards to address government and industry requirements. Representatives from Corporate Security and development organizations define best practices related to using and implementing cryptography in Oracle software products and cloud services, derived from frequent reviews of existing industry practices and current threat intelligence. CRB's responsibilities include: