Security is an issue again this week with the publication of Coverity’s Scan 2010 Open Source Integrity Report which asks whether your Android is safe or not. Oracle upgrades its GRC offerings and we take a look at risk management in the enterprise.

Is Your Android Safe?

Software integrity testing firm Coverity has just published the results of their Coverity Scan 2010 Open Source Integrity Report. The report, originally initiated between Coverity and the U.S. Department of Homeland Security in 2006, is the result of the largest public-private sector research project focused on open source software integrity.

The results from the 2010 edition detail the findings of analyzing more than 61 million lines of open source code from 291 popular and widely-used open source projects such as Android, Linux, Apache, Samba and PHP, among others.

Highlights from the Coverity Scan 2010 Open Source Integrity Report include:

  • The Android kernel tested by Coverity revealed 359 software defects, only a sample of what might be shipping in mobile and other Android-based devices.
  • 25 percent of the Android defects found are high risk with the potential to cause security breaches and crashes.
  • Common defects found in open source code continue with memory corruptions, NULL pointer dereferences, and resource leaks.

For the first time, Coverity will be releasing details on specific open source projects, starting with the Android kernel 2.6.32 ("Froyo"), in the Coverity Scan 2010 Open Source Integrity Report. According to Google, more than 65,000 Android devices ship each day. Want to know more?

Oracle Upgrades GRC Software

Oracle (news, site) has just announced an upgrade to its Oracle GRC Controls, part of Oracle Fusion Governance, Risk and Compliance software. Oracle GRC Controls 8.6 adds to the already considerable compliance software from Oracle, offering automated controls for Oracle and non-Oracle enterprise applications.

Unlike other tools on the market that require coding expertise and are focused primarily on IT users, Oracle GRC Controls now enable business users to embed control monitors directly into enterprise applications through an intuitive drag-and-drop user interface. It also brings sophisticated incident management capabilities through active management of controls, enabling users to identify and reduce risk in business processes.

Oracle GRC Controls include Oracle Enterprise Transaction Controls Governor (Oracle Enterprise TCG), Oracle Application Access Controls Governor (Oracle AACG), Oracle Configuration Controls Governor (Oracle CCG) and Oracle Preventive Controls Governor (Oracle PCG). There’s a lot in this upgrade, so if you want to find out more, check it out here.

Brinqa Upgrades GRC Platform

Texas-based Brinqa, has just announced Brinqa GRC Platform 3.0, a new version of its software that now includes capabilities for policy and compliance management, process governance, incident management and threat and vulnerability management.

Managing the complete lifecycle of policies, processes and controls from a centralized repository within the enterprise, v3.0 ensures consistent mapping to regulations, industry mandates, frameworks, standards and best practices, as well as efficient communication, audit and enforcement of policies.

A Java-based application, Brinqa runs in all standard java web containers and on most major platforms. The high performance back-end repository uses a RDBMS server for storing policies, processes, controls, assessments, incidents and a complete audit trail of all GRC-related activities.

It intelligently maps business policies to the processes and controls that implement those policies. Low level measurements are gathered in near real-time with Brinqa’s agent-less connectors, and are translated into relevant business terms that can be used by executive management in making strategic business decisions.

Are You Managing Risk?

Managing enterprise risk management (ERM) is something every organization should want to do, not just have to do. Norman Marks argues in his monthly column that in the majority of companies, risk is not top of mind. The CRO is not at the executive table and does not participate in executive decision-making.

Why? Because they don’t see risk management as something that helps them succeed. All the CRO offers is insight into the top risks facing the company. Hopefully this is driving actions to ensure those risks are monitored and remain within organizational tolerances.

Oracle v SAP

Finally, the Oracle v SAP copyright infringement trial got under way this week. Questions about the legality of TomorrowNow's business model surfaced among SAP executives even before the German software company acquired the firm. According to court documents filed on Monday, it eventually drew a corporate-theft lawsuit from rival Oracle.

According to transcripts of a deposition filed on the first day of a trial, former executive Shai Agassi said that SAP went through with its 2005 acquisition of TomorrowNow knowing that Oracle might challenge its model of providing discounted services for Oracle’s software.

It’s only just begun and there’s a lot more on the way. When there’s a result, we’ll let you know.