Secure software does not happen by itself. It requires consistently applied methodologies across the organization; methodologies that conform to stated policies, objectives, and principles. The objective is to produce secure code: Oracle requires that all of development abide by secure coding principles that have been laid down, communicated, and staff has been trained on.
To ensure that Oracle products are developed with consistently high security assurance, and to help developers avoid common coding mistakes, Oracle employs formal secure coding standards.
Oracle Secure Coding Standards are a roadmap and guide for developers in their efforts to produce secure code. They discuss general security knowledge areas such as design principles, cryptography and communications security, common vulnerabilities, etc., and provide specific guidance on topics such as data validation, CGI, user management, and more.
All Oracle developers must be familiar with these standards, and apply them when designing and building products. The coding standards have been developed over a number of years and incorporate best practices as well as lessons learned from continued vulnerability testing by Oracle’s internal product assessment team. Oracle ensures that developers are familiar with its coding standards by requiring that they undergo secure coding training. The Secure Coding Standards are a key component of Oracle Software Security Assurance and adherence to the Standards is assessed and validated throughout the supported life of all Oracle products.
Oracle Secure Coding Standards have evolved and expanded over time to address the most common issues affecting Oracle code, insights and lessons learned, new threats as they are discovered, and new use cases by Oracle customers. The Secure Coding Standards do not live in a vacuum nor are they an after the fact addendum to software development. They are integral to language specific standards such as C/C++, Java, PL/SQL, and others, and a key cornerstone to Oracle’s Software Security Assurance programs and processes.
Over the years, Oracle has internally developed training based on the Secure Coding Standards. Oracle delivers this training to its product development organization, including developers as well as product management, release management and quality assurance staff, on a continual basis. Training is not limited to individual contributors; managers up to and including vice presidents are required to take the Secure Coding training classes. This ongoing education helps ensure that developers are familiar with all aspects of secure coding, and understand that Oracle has high standards for producing secure products.