Secure Development Practices

Overview of Secure Development Practices

Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products in every phase of the product development life cycle. These products are used on premises by customers, or delivered through Oracle Cloud. Oracle’s goal is to ensure that the products help customers meet their security requirements and provide the most cost effective ownership experience.

Secure Development - DevSecOps

Oracle secures the DevOps development process using a variety of techniques:

Broad developer training to developers for understanding the principles of secure software development.
Early creation of Trust Models and Risk Assessments to avoid common security pitfalls in the designs.
Identify and expose sensitive interfaces to targeted testing for reducing or eliminating software vulnerabilities.
Extensive use of automated security testing to identify vulnerabilities in third party software.
Check for common OWASP (Open Source Foundation for Application Security) top 10 items and perform fuzz testing on key exposed interfaces.
Evaluate deployed software configurations using industry best practices.

Vulnerability Handling

For details about the vulnerability handling, refer to Oracle Critical Patch Update Program. The primary mechanism for the backport of fixes for security vulnerabilities in Oracle products is the quarterly Critical Patch Update (CPU) program.

In general, the CNC Software is on a quarterly release cycle with each release providing feature updates and fixes, and updates to relevant third party software. These quarterly release provide cumulative patch updates.