I saw today that Mary Ann Davidson has announced that Fortify Software Inc's products will be used to check the database server software and middleware for potential security holes. I saw this is a post titled "Oracle Turns to Fortify to Secure Source Code
". In this post Mary Ann says she has searched for years for a suitable tool to audit the Oracle software. There is a sting in the tail though as Fortify's software is not suitable for auditing large swathes of the Oracle product stack such as the application server, E-Business Suite, Peoplesoft and many more that are written in a variety of languages, presumably PL/SQL is one of these that are not supported. It sounds from this article that the C used for the server will be audited but PL/SQL not. As most of the recent SQL Injection issues and therefore security bugs are in PL/SQL packages this new tool is unlikely to make large inroads into the recent woes caused by these bugs.