We are often asked, particularly in conversations with customers, if we do vulnerability, or penetration, testing with PeopleSoft and if we discuss the tools we use, or the external testing agencies.
The short answer is: Yes, we do vulnerability testing, as part of the release cycle; and no, we don't discuss the testing results, for security reasons. Product development adheres to Oracle's internal secure coding standards and practices.
This topic is timely, since the quarterly Critical Patch Update
is due for release this month.
Since we are all merely standing on the shoulders of giants, I thought it would be useful to refer to a couple of great posts on the Oracle Global Product Security blog.
Oracle Software Security Assurance update (by Eric Maurice)http://blogs.oracle.com/security/2006/11/oracle_software_security_assur.html
"... one of Oracle's highest priorities is the security of our customers. With Oracle Software Security Assurance, our objectives, policies, procedures, and people are all aligned with the intent of providing customers with the strongest security in all of our products."
Security Defect Testing (by Darius Wiles)http://blogs.oracle.com/security/2009/10/security_defect_testing.html
"... The increasing use of automated tools by Oracle is having an impact on the proportion of security defects that are discovered internally versus those reported by external sources. For reporting and tracking purposes, we categorize security defects into groups based on who found them, namely internal, customer and external."
Oracle Software Security Assurancehttp://www.oracle.com/security/software-security-assurance.html
"... Oracle Software Security Assurance program ensures that Oracle products meet or exceed customers' security requirements, while also providing for the most cost-effective ownership experience."
All the links above are on oracle.com and none requires a separate login.