Mary Ann Davidson, Chief Security Officer at Oracle, has just published an outstanding article, Those Who Can't Do, Audit, on companies that are now offering static code analysis as a service and why Oracle won't be turning over any of our code to them. Here at Oracle, security is a core part of every product.
While I do work in the Oracle Solaris Security team, we work on software that are typically seen as performing a security based services. For example, I work on the Oracle Solaris Cryptographic Framework - we provide hardware optimized cryptographic algorithms to applications and the rest of the operating system. A pretty standard security function. But, secure coding standards, in-house static analysis, and security considerations need to be a part of the development of the entire operating system.
I think Ms. Davidson said it best: "Oracle cannot – does not – outsource security."
This post is syndicated from Thoughts on security, beer, theater and biking!
Posts
Like You Need Any: More Weird Reasons To Buy Cake
-
Need more excuses to eat cake, minions? Then I'VE GOT YA COVERED.
Why not celebrate:
*The Birth of Man*
A little esoteric perhaps, but if anyone asks, j...
That's an interesting article, and it made me wonder, especially when reading between the lines. While I expect they'd be looking to do rather more than conventional static code analysis, I hope Oracle doesn't think of the NSA and CESG as "SASO" and is prepared to provide code and assistance to these organisations as required - otherwise, that's rather a lot of Government business which will be going elsewhere...
ReplyDelete