Part 2. With the rise of cybersecurity threats, application security is certainly getting more attention. CIOs, CISOs and other executives, responsible for implementing data protection strategies in their company, need to make sure they are protecting their corporate data, comply with the appropriate data privacy regulations such as GDPR, HIPAA, PCI and others and prevent breaches, fines and reputational damage that could seriously impact their business.

Security controls matter.

Some industry sectors, such as financial services, are increasingly being mandated to apply security patches to operating systems and desktop software to minimize any vulnerabilities.

In Part 1 of this three-part blog series, I introduced the need for tighter application security and why it’s incumbent on software vendors like Quest® to ensure their applications are as secure as they can be.

In this part, I’ll walk you through some of the other security controls Toad® by Quest has in place to ensure we adhere to current software security standards for continually testing and delivering versions of Toad products that you can safely install and run.

You’ll also see a compelling argument for staying up to date with the frequent releases of Toad products so you can avoid vulnerabilities and security threats in the future.


Update your Toad for free, with a current license

If you want an update/install from Quest for any Quest product, you need three things:

  • A license for the product (in this case Toad for Oracle)
  • To be current on your maintenance contract (automatically included for 1 year at time of purchase)
  • A login at Quest Support

Your login will be tied to your Toad license.  If it’s current, it will let you login to ask questions and get downloads.  If you’re denied these because of maintenance issues, you’ll be contacted very soon by a Quest rep who can make sure your account information is correct or offer to update your maintenance agreement.


Security controls for preventing supply chain attacks

Most IT administrators are occupied with plugging security gaps among different applications installed on different platforms. That’s why Quest believes in making security practical by releasing products that are secure in the first place.

The table below shows the security controls that every release of Toad undergoes.

Security controls 4-5.

In this blog, we’re going to look at the next three security controls (outlined in red above) and how Quest Software implements each of these controls for Toad products.

Does your provider use security controls? Quest does. See Toad pricing.

Security control #4: Vulnerability scanning

Quest has defined processes around SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) scanning, using external tools.

SAST is a form of white-box testing. A tester using SAST examines the application from the inside, searching its source code for conditions that indicate potential security vulnerabilities. DAST is a form of black-box testing, from the outside as an attacker would see the application. A tester using DAST examines a web application when it is running and tries to hack it as an attacker would.

SAST tools assist in identifying weaknesses found on a list known as the common weakness enumeration (CWE). The tools are limited in their handling of issues of logical flow, authentication and authorization, which are better suited to penetration tests (see below) or manual source code reviews. DAST scanners, interacting with a web application from the outside, rely on HTTP and are technology-independent.

For Toad products, tests are conducted using SAST and DAST tools.


Security control #5: Third-party penetration testing

Penetration testing demonstrates real-world impact if a vulnerability or process weakness were to be exploited. It is designed to assess security before a bad actor strikes. A penetration test is not an automated scan of an application or its source code, but a next step after automated vulnerability scanning (see above).

For Toad products, penetration testing is conducted annually. The tests, a combination of manual and automated testing, are designed to uphold software security standards in the following areas of the product:

  • Application logic
  • Code injection
  • Local storage
  • Binary exploitation and reverse engineering
  • Excessive privileges
  • Unencrypted storage of sensitive information
  • Unencrypted transmission of sensitive information
  • Weak encryption implementations
  • Weak assembly controls
  • Weak GUI controls
  • Weak or default passwords

In most cases a penetration test follows a specific framework depending on the target application or infrastructure, and tactics vary depending on the adversary being mimicked. 


Security control #6: Malware scanning of software builds

When the development team package Toad ready for release, they first scan for malware following a consistent process that includes these security control steps:

  • Install packages are hashed using the SHA-256 algorithm before scanning, and the hash must match the final, published hash on the package.
  • All software builds are scanned for malware before they are released for install.
  • All files packaged into an installer are first scanned for malware.
  • Automated malware scanning is performed

Security controls keep you safer and strong against cybersecurity attacks.

Next Steps

In Part 3 of this blog, I’ll talk about some additional security controls that Toad has in place for code signing, software integrity and FIPS compliance.

For more detailed information on how Toad addresses desktop security through SSDLC, read this Technical Brief.

Watch the free webinar, "Why do you need to update your Toad for Oracle today?"


Try Toad for Oracle now

Try Toad for Oracle free for 30 days.

Already in a trial? Talk to sales or buy now online.

Already a loyal fan of Toad for Oracle? Renew now.


About the Author

John Pocknell

John Pocknell is a senior market strategist at Quest Software and part of the Information Management business unit. Based at the European headquarters in the U.K., John is responsible for synthesising analyst data and customer interviews in order to create and evangelise solutions-based stories and messaging which relate to major IT initiatives for our extensive portfolio of database products, worldwide. He has been with Quest Software since 2000, working in the database design, development and deployment product areas and spent over 10 years as product manager for the Toad product line. John has been successfully evangelising Toad and other database solutions at various conferences and user groups around the world for the last 19 years as well as writing blogs and technical papers both internally and for the media. John has worked in IT for more than 30 years, most of that time in Oracle application design and development. He is a qualified aeronautical engineer with more than 10 years of experience in provisioning IT consultancy services and implementing quality assurance systems to ISO 9001.

Start the discussion at