Security Analysis and Testing

Overview

Oracle requires that security testing be performed for its on-premises and cloud products. Security testing of Oracle code includes both functional and non-functional activities for verification of product features and quality. Although these types of tests often target overlapping product features, they have orthogonal goals and are carried out by different teams. Functional and non-functional security tests complement each other to support comprehensive security testing coverage of Oracle products.

Oracle will not provide customers sensitive security assurance artifacts (including but not limited to static code analysis reports). Additionally, Oracle will not submit its product to third-party static code assessments. For more information, see MOS Article: General Instructions for Submitting Security Questionnaires to Oracle (DOC ID 2337651.1).

Functional Security Testing

Functional security testing is typically executed by regular product Quality Assurance (QA) teams as part of standard product testing cycle. During this testing, QA engineers verify conformance of implemented security features to what had been previously agreed upon in the functional specifications during the architectural and checklist reviews process.

Oracle Labs

The mission of Oracle Labs is to identify, explore, and transfer new technologies that have the potential to substantially improve Oracle software, Oracle Cloud services, and corporate operations. Oracle Labs researchers look for novel approaches and methodologies, often taking on projects with high risk or uncertainty, or that are difficult to tackle within a traditional product development organization. Oracle Labs is devoted exclusively to research. A number of security tools are developed by Oracle Labs, including Oracle Parfait for static code analysis, and Oracle Macaron, a supply chain security analysis tool.

Security Assurance Analysis and Testing

Security assurance analysis and testing verify security qualities of Oracle products against various types of attacks. There are two broad categories of tests employed for testing Oracle products: static and dynamic analysis.

Static Analysis

Static security analysis of source code is the initial line of defense used during the product development cycle. Oracle uses a commercial static code analyzer as well as a variety of internally developed tools, to locate problems while code is being written.

Dynamic Analysis

Dynamic analysis activity always takes place during latter phases of product development: at the very least, the product or component should be able to run. Dynamic analysis is aimed at externally visible product interfaces and APIs, and frequently relies on specialized tools for testing. Both manual and automatic tools are used for at Oracle. Automatic tools employ fuzzing technique to test network-accessible product interfaces and protocols, while manual tools require making the modifications by hand.

More Information

• Oracle Source Code Protection
• Oracle Security Testing and Ethical Hacking
• Oracle Security Fixing Policies