Oracle has apparently decided to go with Fortify for code-scanning. According to Mary Ann Davidson:
"There's lots of Band-Aid products out there that protect against attacks. You wouldn't need so many Band-Aids if you could actually have a vaccine," Davidson says.
Sigh. Vaccine? I'm not clear on the metaphor; is fortify the vaccine? For us or for Oracle? Seems to me like if Oracle is the sick one in this equation. I had fully planned on reaming out Oracle in this humble forum, for "sticking their head up" too early after their public blasting in the summer, but it looks like David Litchfield has done that work already in the security press. My favorite quote from him this round is:
"By far the best approach is to code securely in the first instance," he said. "Source code scanning tools should be the last line of defense, not an excuse for lazy and insecure programming."