Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "10 steps to creating your own security audit"] [Next entry: "Great paper on Oracle Applications 11i password weaknesses and decryption"]

Teaching an Old Dog New Tricks

I got an email today to let me know about a good post by Marcus Ranum on his site titled "Teaching an Old Dog New Tricks" which talks about programming, bugs, exploits an most importantly about Fortify in some detail. This is the tool Oracle announced around a year ago that they had bought and were using internally to audit their own source code. This is a source code analizer that looks for bugs or potential bugs in software. The tool supports C and PL/SQL amongst other languages. This is a good tool but there is little information on the net about it, particularly the sorts of checks that it performs. This article is quite revealing in terms of what the tool does. There are a number of other free tools that can check C and C++ but not PL/SQL such as RATS, flawfinder, findbugs, ITS4, Prexis and splint.

If anyone has anymore details on what Fortify does particularly in terms of PL/SQL auditing I would be interested to know.