Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Nice paper on database links"] [Next entry: "standalone discoverer clients now sso compliant for E-Business Suite users"]

Mary Ann Davidson announces that Fortify software will be used to find security holes in Oracle software

I saw today that Mary Ann Davidson has announced that Fortify Software Inc's products will be used to check the database server software and middleware for potential security holes. I saw this is a post titled "Oracle Turns to Fortify to Secure Source Code". In this post Mary Ann says she has searched for years for a suitable tool to audit the Oracle software. There is a sting in the tail though as Fortify's software is not suitable for auditing large swathes of the Oracle product stack such as the application server, E-Business Suite, Peoplesoft and many more that are written in a variety of languages, presumably PL/SQL is one of these that are not supported. It sounds from this article that the C used for the server will be audited but PL/SQL not. As most of the recent SQL Injection issues and therefore security bugs are in PL/SQL packages this new tool is unlikely to make large inroads into the recent woes caused by these bugs.