Oracle turns to Fortify to secure source code

Startup source-code security technology developer Fortify Software Inc. scored a major triumph on Tuesday as Oracle Corp. announced plans to use Fortify's tools to seek out holes in Oracle's database and middleware software.

Oracle Chief Security Officer Mary Ann Davidson said she searched for years for automated tools to examine Oracle's source code but had been unimpressed with the available products. Fortify was the first company to listen to Oracle's description of its development process and to tailor its software to meet Oracle's needs, Davidson said.

Oracle has a code base of more than 30 million lines, and is the first top-tier commercial software developer to sign on as a Fortify customer. Other Fortify clients include a number of financial services companies, as well as Flash maker Macromedia Inc. Identity management software developer Oblix, acquired by Oracle earlier this year, was also a customer, but Davidson said Oracle's work with Fortify predated its Oblix buy.

Fortify's software is an integrated collection of tools that scan code for secure coding policy violations and other weaknesses. Oracle has licensed the tools for its Server Technologies group, which handles development of its database, application server, identify management and collaboration suite software. Oracle's application software, including its E-Business Suite and the products Oracle acquired from PeopleSoft and other vendors, is written in a variety of programming languages and isn't a good fit for Fortify's tools, and will not be included in the deal, Davidson said.

Oracle, based in Redwood Shores, California, hopes that by eliminating vulnerabilities before code turns into shipped product, it will reduce the number of patches it needs to issue and improve its customers' security.

"There's lots of band-aid products out there that protect against attacks. You wouldn't need so many band aids if you could actually have a vaccine," Davidson said.

Oracle, which once used "unbreakable" as its brand slogan, has taken a few hits on its security reputation this year after issuing a spate of critical patches. A German security firm published details of several high-risk vulnerabilities in Oracle's software after the firm said it tried for years to draw Oracle's attention to the security holes.

Fortify is a private, venture capital-backed vendor with headquarters in Palo Alto, California. The company launched last year and now has around 50 employees. Winning Oracle's business will be a major boost to Fortify's credibility as it looks to convince more large vendors to license its security tools.

Working with Oracle has helped Fortify refine its first-generation software and improve its tools' performance, Fortify Chief Executive Officer John Jack said.

"We now have a product that scales to the largest code base," Jack said. "It's been a great year."