Global Product Security

Overview

Oracle’s goal is to ensure that Oracle's products, and the systems that leverage those products, remain as secure as possible. Encompassing every phase of the product development lifecycle, Oracle Software Security Assurance is Oracle's methodology for building security into the design, build, testing, and maintenance of its products.

Under the leadership of Oracle’s Chief Security Officer, Global Product Security promotes the use of Oracle Software Security Assurance standards throughout Oracle, acts as a central resource to help development teams improve the security of their products, and handles specialized security functions.

The Oracle Secure Development Community

The Oracle software technology stack is diverse. Development organizations retain the ownership of the code they developed by maintaining specialized security resources with deep knowledge of the security architecture of their products.

In order to foster this security community within Oracle, Global Product Security has implemented formal programs for the training of security personnel and has dedicated staff supporting the security community across development. This dotted-line approach enables a strong security expertise to be present throughout each development organization, and promotes the timely adaptation to security trends in these organizations.

Security Leads

Security Leads are individuals responsible for the adoption of Oracle Software Security Assurance policies and practices within their respective business units.

Security Points of Contact

Assigned by their respective Security Lead, Security Points of Contact (SPOCs) are responsible for the tactical implementation of Oracle Software Security Assurance at the product level.

Security Leads and Backup Leads: over 150
Security Points of Contact: over 1,700

Cryptography Review Board

Oracle's Cryptography Review Board defines and promotes cryptography-related technical standards for Oracle products and services. The group is primarily responsible for making technical decisions and authoring internal standards to address government and industry requirements. Representatives from Corporate Security and development organizations define best practices related to using and implementing cryptography in Oracle software products and cloud services, derived from frequent reviews of existing industry practices and current threat intelligence. CRB's responsibilities include:

  • Creating and maintaining standards for cryptography algorithms, protocols, and their parameters
  • Providing approved standards in multiple formats, for readability and automation
  • Defining approved cryptography providers as well as recommended and approved key management solutions for use by Oracle
  • Providing practical guidance on using cryptography
  • Performing forward-looking research and developing technology prototypes on topics such as post quantum cryptography