SlideShare a Scribd company logo

77848485 upgrade-security-in-your-r12-upgrade

R
raghu_sid

R1 security

1 of 30
Download to read offline
mission critical applications … … mission critical security Upgrade Security in Your Oracle R12 Upgrade Stephen Kost Chief Technology Officer Integrigy Corporation NCOAUG Winter 2011  February 25, 2011
Integrigy Overview Integrigy Corporation is a leader in application security for enterprise  mission‐critical applications.  AppSentry, our application and database  security assessment tool, assists companies in securing their largest and  most important applications through detailed security audits and actionable  recommendations.  Integrigy Consulting offers comprehensive security  assessment services for leading databases and ERP applications, enabling  companies to leverage our in‐depth knowledge of this significant threat to  business operations. Corporate Details − Founded December 2001 − Privately Held − Based in Chicago, Illinois
Background Speaker Company Stephen Kost Integrigy Corporation CTO and Founder Integrigy bridges the gap between  databases and security 16 years working with Oracle Security Design and Assessment of  12 years focused on Oracle  Oracle Databases security Security Design and Assessment of  DBA, Apps DBA, technical  the Oracle E‐Business suite architect, IT security, … AppSentry ‐ Security Assessment  Software Tool
Integrigy Security Alerts Security Alert Versions Security Vulnerabilities Oracle 11g 2 Issues in Oracle RDBMS Authentication Critical Patch Update July 2008 11.5.8 – 12.0.x 2 Oracle E‐Business Suite vulnerabilities 12.0.x 8 vulnerabilities, SQL injection, XSS, information  Critical Patch Update April 2008 11.5.7 – 11.5.10 disclosure, etc. 12.0.x 11 vulnerabilities, SQL injection, XSS, information  Critical Patch Update July 2007 11.5.1 – 11.5.10 disclosure, etc. 11.5.1 – 11.5.10 Critical Patch Update October 2005 11.0.x Default configuration issues 11.5.1 – 11.5.10 SQL injection vulnerabilities Critical Patch Update July 2005 11.0.x Information disclosure 11.5.1 – 11.5.10 SQL injection vulnerabilities Critical Patch Update April 2005 11.0.x Information disclosure 11.5.1 – 11.5.10 Critical Patch Update Jan 2005 11.0.x SQL injection vulnerabilities Buffer overflows Oracle Security Alert #68 Oracle 8i, 9i, 10g Listener information leakage 11.5.1 – 11.5.8 Oracle Security Alert #67 11.0.x 10 SQL injection vulnerabilities 11.5.1 – 11.5.8 Buffer overflow in FNDWRR.exe Oracle Security Alert #56 11.0.x Multiple vulnerabilities in AOL/J Setup Test Oracle Security Alert #55 11.5.1 – 11.5.8 Obtain sensitive information (valid session) 10.7, 11.0.x No authentication in FNDFS program Oracle Security Alert #53 11.5.1 – 11.5.8 Retrieve any file from O/S
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
Why do “Security” during the upgrade? 1 Technology Stack Upgrades New version = new security features Reset of security patching – should be current at go‐live 2 Functional, Technical, & Stress Testing Functional application testing Performance and stress testing 3 Modifications to Customizations Some or many customizations must be upgraded Ideal time to review development standards
Traditional R12 Upgrade Project Post‐ Evaluate Plan Test Upgrade Upgrade Security Security Security Security Security
Security “Aware” R12 Upgrade Project Goal: High security value, low project effort, major testing required, low project risk Post‐ Evaluate Plan Test Upgrade Upgrade Security and  Functional and  Implement  compliance gap analysis technical test new  security process  Review new application  security features improvements and technology stack  Performance test  Post upgrade  security features auditing  security review enhancements Improve security and  Implement new security  compliance processes features Develop new security  Latest security patches features Upgrade hardening task Customization security  Security scan reviews
Example Upgrade Security Enhancements Security  Security  Project Testing Project  Enhancement Value Effort Required Risk Restricted Database Access High Medium High Medium Auditing High Low Medium Low Encryption High Low High Medium Security Patches High Low Medium Low Security Hardening Medium Low Medium Low Database Access Controls Medium Medium Medium Low Data Scrambling Medium Low Low Low Single Sign‐on Low High High High
R12 Upgrade Impacted Security Processes Oracle Applications Technical Components Oracle Applications Database Application Server Operating System 1.1 User Management 1. Account Security 1.3 Database Security 1.4 Network and Web 1.5 OS Security 1.2 Segregation of Duties 2.1 Data Management 2.2 Database Access  2. Data Security 2.3 Web Access  2.4 File Permissions and Privacy and Privileges Operational Processes 3. Auditing 3.1 Application Auditing 3.2 Database Auditing 3.3 Web Logging 3.4 OS Auditing 4. Monitoring and  4.1 Application 4.2 Database 4.3 Web and Forms 4.4 Operating System Troubleshooting 5.1 Object Migrations 5.3 Change Control 5. Change 5.5 Change Control 5.6 Change Control Management 5.2 Application  5.4 Database  Configuration Configuration 6.3 Application Server  6. Patching 6.1 Application Patches 6.2 Database Patches 6.4 OS Patches Patches 7.3 Web 7. Development 7.1 Application 7.2 Database 7.5 Shell and File Transfer 7.4 Web Services  and SOA
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
11i/R12 Architecture Differences Oracle EBS 11.5.10.2 Oracle EBS 12.1.3 Application Server Application Server circa Replaces 1999 JServ JServ OC4J Apache Apache 1.3.19 1.3.34 JSP (current is JSP Web Listener Web Listener 1.3.42 or BC4J Removed 2.2.17) BC4J in R12 modplsql UIX Reports Reports 8.0.6.3 Forms Oracle  Forms Home Oracle 9iAS 1.0.2.2.2 Oracle AS 10g 10.1.2/10.1.3 Version App Server Desupported Upgradable ~2005
11i/R12 Architecture Differences Oracle Database Upgrade − 9.2/10.2 replaced with 11.2 − 11.2 has TDE tablespace encryption Oracle Jinitiator ‐> Sun JRE − Improved support and standardization mod_plsql retired − Significant security vulnerabilities historically − Allowed direct execution of PL/SQL packages in database Forms Server ‐> Forms Listener Servlet − All network traffic through Apache server – no standalone port Oracle Reports ‐> XML Publisher − Improved security model and features
Critical Patch Updates R12 Critical Patch Updates are cumulative − 11i introduced cumulative patches with January 2010 CPU Database Version Included CPU EBS Version Included CPU Upgrade Patch 10.2.0.4 April 2008 12.0.6 October 2008 11.1.0.6 October 2007 12.1.1 April 2009 11.1.0.7 January 2009 12.1.2 October 2009 11.2.0.1 January 2010 12.1.3 January 2011* 11.2.0.2 January 2011 * Estimated by Integrigy
R12 Application Users Added New application accounts from 12.0.0 onward − INDUSTRY DATA − ORACLE12.0.0  − ORACLE12.1.0 − ORACLE12.2.0 − ORACLE12.3.0 − ORACLE12.4.0 − ORACLE12.5.0 − ORACLE12.6.0 − ORACLE12.7.0 − ORACLE12.8.0 − ORACLE12.9.0  All are active accounts with invalid passwords
Database Accounts Added A new database account is added for each  new product module − Database accounts active with default password − Partial list of new module database accounts: CA, DDR, DNA, DPP, FTP, GMO,  IBW, INL, IPM, ITA, JMF, MTH,  PFT, QPR, RRS, 
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
Protecting Database Accounts Use AFPASSWD rather than FNDCPASS − Lock Products Schema Accounts > AFPASSWD  –L  TRUE − Improved separation of duties − Fewer errors changing password with password confirmation  entry − See R12 SAG – Configuration Oracle 11g case sensitive passwords (12.1 only) − SEC_CASE_SENSITIVE_LOGON = TRUE − APPLSYSPUB must always be uppercase Change the APPLSYSPUB password − Finally works in R12 and supported by Oracle − Also make sure the password is changed in AutoConfig
Web Server Traffic Encryption (SSL) Improved SSL support − Changed from mod_ssl ‐> mod_ossl − Uses Oracle Wallet for storing certificates − Only strong ciphers enabled and SSLv2 disabled Provides AutoConfig support for securing the  major communication routes with SSL. See Metalink Note ID 376700.1
Advanced Configuration Wizards New “Advanced Configuration Wizards” for  complex setups of advanced configurations − Available through OAM − DNS load balancing − HTTP load balancing − SSL setup on web server − SSL Accelerator setup
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
Oracle Connection Manager Oracle Connection Manager Supported − Advanced security to restrict database connections − Like Managed SQL*Net Access, but on steroids − See Metalink Note ID 558959.1
RBAC and User Management Role Based Access Control (RBAC) − RBAC is an ANSI standard for access control − Allows for responsibilities to be assigned through roles − Role Inheritance and Role Categories − See Metalink Note ID 290525.1 Oracle User Management (UMX) − New user registration − Enhanced Forget Username/Password Functionality − New security wizards
Proxy User Proxy User allows a user to specify a proxy  who can act on their behalf. − For example, an executive can designate an  assistant as a proxy, allowing that assistant to − Create, edit or approve transactions on behalf of  that executive Generally, avoid use due to auditing issues Can be used to solve the concurrent request  scheduling problem
PCI PA‐DSS Oracle PA‐DSS Consolidated Patch for 12.1  − Reduces complexity of PCI DSS compliance − Fixes multiple functional weaknesses when processing  and viewing credit card data − Does not eliminate significant manual configuration for  PCI DSS − Only 12.1 is PA‐DSS compliant − See Metalink Note ID 984283.1 11i and 12.0 will not be PA‐DSS compliant − See Metalink Note ID 1101213.1
R12 Upgrade Security Recommendations Include security tasks throughout the upgrade project − Implement high value, low effort security improvements and  enhancements − Leverage the “free” testing cycles Adhere to the Oracle Best Practices for Oracle EBS security − See Metalink Note ID 403537.1 − Written by Integrigy − Oracle has not updated since 2007 Validate the security configuration post‐upgrade − Perform a post‐upgrade security scan or review − Validate compliance against security best practices − Oracle E‐Business Suite is complex and “the devil is in the  details”
Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
Upcoming Integrigy Events Webinar: Protecting You Sensitive Data − Wednesday, March 16, 2pm EDT COLLABORATE 11 – OAUG and IOUG − Protecting Sensitive Data in the Oracle E‐Business Suite − Securing the Oracle E‐Business Suite Best Practices Panel − Security Bootcamp: Real‐life Database Security Mistakes − Credit Cards and Oracle: How to Comply with PCI‐DSS − Real‐life E‐Business Suite Security Mistakes
Integrigy Contact Information Stephen Kost e‐mail: info@integrigy.com Chief Technology Officer blog: integrigy.com/oracle‐security‐blog Integrigy Corporation For information on ‐ Oracle Database Security Oracle E‐Business Suite Security www.integrigy.com Oracle Critical Patch Updates Oracle Security Blog Copyright © 2011 Integrigy Corporation.  All rights reserved.

Recommended

Novell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell
 
Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetKlaudiia Jacome
 
Ioug 2010 oracle critical patch updates unwrapped presentation
Ioug 2010 oracle critical patch updates unwrapped presentationIoug 2010 oracle critical patch updates unwrapped presentation
Ioug 2010 oracle critical patch updates unwrapped presentationmaclean liu
 
Oracle Buys Ksplice
Oracle Buys KspliceOracle Buys Ksplice
Oracle Buys KspliceTerry Wang
 
Whats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinessWhats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinesssflynn073
 
Gary m pearson_resume_18_dec15-2016
Gary m pearson_resume_18_dec15-2016Gary m pearson_resume_18_dec15-2016
Gary m pearson_resume_18_dec15-2016Gary Pearson
 
J Bdemo101215
J Bdemo101215J Bdemo101215
J Bdemo101215kgirt
 
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...Novell
 

Recommended

Novell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell
 
Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetKlaudiia Jacome
 
Ioug 2010 oracle critical patch updates unwrapped presentation
Ioug 2010 oracle critical patch updates unwrapped presentationIoug 2010 oracle critical patch updates unwrapped presentation
Ioug 2010 oracle critical patch updates unwrapped presentationmaclean liu
 
Oracle Buys Ksplice
Oracle Buys KspliceOracle Buys Ksplice
Oracle Buys KspliceTerry Wang
 
Whats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinessWhats new in was liberty security and cloud readiness
Whats new in was liberty security and cloud readinesssflynn073
 
Gary m pearson_resume_18_dec15-2016
Gary m pearson_resume_18_dec15-2016Gary m pearson_resume_18_dec15-2016
Gary m pearson_resume_18_dec15-2016Gary Pearson
 
J Bdemo101215
J Bdemo101215J Bdemo101215
J Bdemo101215kgirt
 
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...Novell
 
Deven patel e2
Deven patel e2Deven patel e2
Deven patel e2Deven Patel
 
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications ShowcaseIntel IT Center
 
Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2Mark Wilkinson
 
Flight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An OverviewFlight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group
 
How Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve SupportingHow Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve SupportingMicrosoft TechNet
 
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Webroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security ProductsWebroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security ProductsWebroot
 
2010-12 SCAP Explained
2010-12 SCAP Explained 2010-12 SCAP Explained
2010-12 SCAP Explained Raleigh ISSA
 
WS-* Specifications Update 2007
WS-* Specifications Update 2007WS-* Specifications Update 2007
WS-* Specifications Update 2007Jorgen Thelin
 
Ugif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-parisUgif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-parisUGIF
 
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications ShowcaseIntel IT Center
 
Ksplice Presentation External
Ksplice Presentation ExternalKsplice Presentation External
Ksplice Presentation ExternalOrlando F. Delgado
 
Avc per 201206_en
Avc per 201206_enAvc per 201206_en
Avc per 201206_enAnatoliy Tkachev
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFDkilroy440
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apexEnkitec
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudBob Rhubart
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsBob Rhubart
 
XebiaLabs deployment automation brochure
XebiaLabs deployment automation brochureXebiaLabs deployment automation brochure
XebiaLabs deployment automation brochureguestea92ba
 
R12 feature analysis_sigmora
R12 feature analysis_sigmoraR12 feature analysis_sigmora
R12 feature analysis_sigmorabgadicha
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresravisagaram
 

More Related Content

What's hot

Intel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications ShowcaseIntel IT Center
 
Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2Mark Wilkinson
 
Flight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An OverviewFlight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group
 
How Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve SupportingHow Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve SupportingMicrosoft TechNet
 
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Synopsys Software Integrity Group
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Webroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security ProductsWebroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security ProductsWebroot
 
2010-12 SCAP Explained
2010-12 SCAP Explained 2010-12 SCAP Explained
2010-12 SCAP Explained Raleigh ISSA
 
WS-* Specifications Update 2007
WS-* Specifications Update 2007WS-* Specifications Update 2007
WS-* Specifications Update 2007Jorgen Thelin
 
Ugif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-parisUgif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-parisUGIF
 
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications ShowcaseIntel IT Center
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFDkilroy440
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apexEnkitec
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudBob Rhubart
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsBob Rhubart
 
XebiaLabs deployment automation brochure
XebiaLabs deployment automation brochureXebiaLabs deployment automation brochure
XebiaLabs deployment automation brochureguestea92ba
 

What's hot (20)

Deven patel e2
Deven patel e2Deven patel e2
Deven patel e2
 
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Financial Security Applications Showcase
 
Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2Mark_Wilkinson_Systems_Engineer IV_2
Mark_Wilkinson_Systems_Engineer IV_2
 
Flight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An OverviewFlight East 2018 Presentation–Continuous Integration––An Overview
Flight East 2018 Presentation–Continuous Integration––An Overview
 
How Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve SupportingHow Microsoft Technologies And Windows Vista Improve Supporting
How Microsoft Technologies And Windows Vista Improve Supporting
 
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
Flight East 2018 Presentation–A DevOps State of Mind: Continuous Security wit...
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Webroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security ProductsWebroot SecureAnywhere Cloud vs. Six Traditional Security Products
Webroot SecureAnywhere Cloud vs. Six Traditional Security Products
 
2010-12 SCAP Explained
2010-12 SCAP Explained 2010-12 SCAP Explained
2010-12 SCAP Explained
 
WS-* Specifications Update 2007
WS-* Specifications Update 2007WS-* Specifications Update 2007
WS-* Specifications Update 2007
 
Ugif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-parisUgif 04 2011 informix fug-paris
Ugif 04 2011 informix fug-paris
 
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications ShowcaseIntel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
Intel® Xeon® Processor E5-2600 v4 Tech Computing Applications Showcase
 
Ksplice Presentation External
Ksplice Presentation ExternalKsplice Presentation External
Ksplice Presentation External
 
Avc per 201206_en
Avc per 201206_enAvc per 201206_en
Avc per 201206_en
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the Cloud
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural Considerations
 
XebiaLabs deployment automation brochure
XebiaLabs deployment automation brochureXebiaLabs deployment automation brochure
XebiaLabs deployment automation brochure
 

Viewers also liked

R12 feature analysis_sigmora
R12 feature analysis_sigmoraR12 feature analysis_sigmora
R12 feature analysis_sigmorabgadicha
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresravisagaram
 
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdfnarane1976
 
R12 whats_new_financials
R12 whats_new_financialsR12 whats_new_financials
R12 whats_new_financialskishan_v
 
Oracle R12 Fixed Assets Changes From 11i
Oracle R12 Fixed Assets Changes From 11iOracle R12 Fixed Assets Changes From 11i
Oracle R12 Fixed Assets Changes From 11iSanjay Challagundla
 
Oracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewOracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewSanjay Challagundla
 
Oracle R12 Cash Management New Features
Oracle R12 Cash Management New FeaturesOracle R12 Cash Management New Features
Oracle R12 Cash Management New FeaturesSanjay Challagundla
 
OOW09 R12.1 Standalone Solutions
OOW09 R12.1 Standalone SolutionsOOW09 R12.1 Standalone Solutions
OOW09 R12.1 Standalone Solutionsjucaab
 

Viewers also liked (13)

R12 feature analysis_sigmora
R12 feature analysis_sigmoraR12 feature analysis_sigmora
R12 feature analysis_sigmora
 
Oracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 featuresOracle R12.1.2 and R12.1.3 features
Oracle R12.1.2 and R12.1.3 features
 
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf
152633980 accrual-reconciliation-process-and-troubleshooting-in-r12-pdf
 
New Enhancements + Upgrade Path to Oracle EBS R12.1.3
New Enhancements + Upgrade Path to Oracle EBS R12.1.3New Enhancements + Upgrade Path to Oracle EBS R12.1.3
New Enhancements + Upgrade Path to Oracle EBS R12.1.3
 
R12 whats_new_financials
R12 whats_new_financialsR12 whats_new_financials
R12 whats_new_financials
 
Fixed assets-set-up
Fixed assets-set-upFixed assets-set-up
Fixed assets-set-up
 
Oracle EBS R11i to R12 financials
Oracle EBS R11i to R12 financialsOracle EBS R11i to R12 financials
Oracle EBS R11i to R12 financials
 
Oracle R12 Fixed Assets Changes From 11i
Oracle R12 Fixed Assets Changes From 11iOracle R12 Fixed Assets Changes From 11i
Oracle R12 Fixed Assets Changes From 11i
 
Oracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement OverviewOracle R12 AR Enhancement Overview
Oracle R12 AR Enhancement Overview
 
Oracle R12 Cash Management New Features
Oracle R12 Cash Management New FeaturesOracle R12 Cash Management New Features
Oracle R12 Cash Management New Features
 
OOW09 R12.1 Standalone Solutions
OOW09 R12.1 Standalone SolutionsOOW09 R12.1 Standalone Solutions
OOW09 R12.1 Standalone Solutions
 
Differences R12 Vs 11i.5.10
Differences R12 Vs 11i.5.10Differences R12 Vs 11i.5.10
Differences R12 Vs 11i.5.10
 
R12 AP New Features
R12 AP New FeaturesR12 AP New Features
R12 AP New Features
 

Similar to 77848485 upgrade-security-in-your-r12-upgrade

Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...Minh237839
 
RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Nederland
 
Dockercon 2015 - Faster Cheaper Safer
Dockercon 2015 - Faster Cheaper SaferDockercon 2015 - Faster Cheaper Safer
Dockercon 2015 - Faster Cheaper SaferAdrian Cockcroft
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharehitsvrxk
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩mncsmy
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideSharerjwahnup
 
SCOM 2007 & Audit Collection Services
SCOM 2007 & Audit Collection Services SCOM 2007 & Audit Collection Services
SCOM 2007 & Audit Collection Services OlivierMichot
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...Emerasoft, solutions to collaborate
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
OOW 09 EBS Application Change Management Pack
OOW 09 EBS Application Change Management PackOOW 09 EBS Application Change Management Pack
OOW 09 EBS Application Change Management Packjucaab
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suiteSymantec
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaMicrosoft Singapore
 
Summer training oracle
Summer training oracle Summer training oracle
Summer training oracle Arshit Rai
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSAmazon Web Services
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 

Similar to 77848485 upgrade-security-in-your-r12-upgrade (20)

Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
Integrigy_Oracle_E-Business_Suite_Security_Risks_Primer_for_Internal_Auditors...
 
RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011
 
Dockercon 2015 - Faster Cheaper Safer
Dockercon 2015 - Faster Cheaper SaferDockercon 2015 - Faster Cheaper Safer
Dockercon 2015 - Faster Cheaper Safer
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
六合彩,香港六合彩
六合彩,香港六合彩六合彩,香港六合彩
六合彩,香港六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
AMIS Oracle OpenWorld 2013 Review Part 2 - Platform Middleware Publication
AMIS Oracle OpenWorld 2013 Review Part 2 - Platform Middleware PublicationAMIS Oracle OpenWorld 2013 Review Part 2 - Platform Middleware Publication
AMIS Oracle OpenWorld 2013 Review Part 2 - Platform Middleware Publication
 
SCOM 2007 & Audit Collection Services
SCOM 2007 & Audit Collection Services SCOM 2007 & Audit Collection Services
SCOM 2007 & Audit Collection Services
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...
Webinar: “Mai sentito parlare di Continuous Delivery per il database? Ecco co...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
OOW 09 EBS Application Change Management Pack
OOW 09 EBS Application Change Management PackOOW 09 EBS Application Change Management Pack
OOW 09 EBS Application Change Management Pack
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suite
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Sccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estoninaSccm 2012 overview - chris_estonina
Sccm 2012 overview - chris_estonina
 
Summer training oracle
Summer training oracle Summer training oracle
Summer training oracle
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWS
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 

77848485 upgrade-security-in-your-r12-upgrade

  • 1. mission critical applications … … mission critical security Upgrade Security in Your Oracle R12 Upgrade Stephen Kost Chief Technology Officer Integrigy Corporation NCOAUG Winter 2011  February 25, 2011
  • 2. Integrigy Overview Integrigy Corporation is a leader in application security for enterprise  mission‐critical applications.  AppSentry, our application and database  security assessment tool, assists companies in securing their largest and  most important applications through detailed security audits and actionable  recommendations.  Integrigy Consulting offers comprehensive security  assessment services for leading databases and ERP applications, enabling  companies to leverage our in‐depth knowledge of this significant threat to  business operations. Corporate Details − Founded December 2001 − Privately Held − Based in Chicago, Illinois
  • 3. Background Speaker Company Stephen Kost Integrigy Corporation CTO and Founder Integrigy bridges the gap between  databases and security 16 years working with Oracle Security Design and Assessment of  12 years focused on Oracle  Oracle Databases security Security Design and Assessment of  DBA, Apps DBA, technical  the Oracle E‐Business suite architect, IT security, … AppSentry ‐ Security Assessment  Software Tool
  • 4. Integrigy Security Alerts Security Alert Versions Security Vulnerabilities Oracle 11g 2 Issues in Oracle RDBMS Authentication Critical Patch Update July 2008 11.5.8 – 12.0.x 2 Oracle E‐Business Suite vulnerabilities 12.0.x 8 vulnerabilities, SQL injection, XSS, information  Critical Patch Update April 2008 11.5.7 – 11.5.10 disclosure, etc. 12.0.x 11 vulnerabilities, SQL injection, XSS, information  Critical Patch Update July 2007 11.5.1 – 11.5.10 disclosure, etc. 11.5.1 – 11.5.10 Critical Patch Update October 2005 11.0.x Default configuration issues 11.5.1 – 11.5.10 SQL injection vulnerabilities Critical Patch Update July 2005 11.0.x Information disclosure 11.5.1 – 11.5.10 SQL injection vulnerabilities Critical Patch Update April 2005 11.0.x Information disclosure 11.5.1 – 11.5.10 Critical Patch Update Jan 2005 11.0.x SQL injection vulnerabilities Buffer overflows Oracle Security Alert #68 Oracle 8i, 9i, 10g Listener information leakage 11.5.1 – 11.5.8 Oracle Security Alert #67 11.0.x 10 SQL injection vulnerabilities 11.5.1 – 11.5.8 Buffer overflow in FNDWRR.exe Oracle Security Alert #56 11.0.x Multiple vulnerabilities in AOL/J Setup Test Oracle Security Alert #55 11.5.1 – 11.5.8 Obtain sensitive information (valid session) 10.7, 11.0.x No authentication in FNDFS program Oracle Security Alert #53 11.5.1 – 11.5.8 Retrieve any file from O/S
  • 5. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 6. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 7. Why do “Security” during the upgrade? 1 Technology Stack Upgrades New version = new security features Reset of security patching – should be current at go‐live 2 Functional, Technical, & Stress Testing Functional application testing Performance and stress testing 3 Modifications to Customizations Some or many customizations must be upgraded Ideal time to review development standards
  • 8. Traditional R12 Upgrade Project Post‐ Evaluate Plan Test Upgrade Upgrade Security Security Security Security Security
  • 9. Security “Aware” R12 Upgrade Project Goal: High security value, low project effort, major testing required, low project risk Post‐ Evaluate Plan Test Upgrade Upgrade Security and  Functional and  Implement  compliance gap analysis technical test new  security process  Review new application  security features improvements and technology stack  Performance test  Post upgrade  security features auditing  security review enhancements Improve security and  Implement new security  compliance processes features Develop new security  Latest security patches features Upgrade hardening task Customization security  Security scan reviews
  • 10. Example Upgrade Security Enhancements Security  Security  Project Testing Project  Enhancement Value Effort Required Risk Restricted Database Access High Medium High Medium Auditing High Low Medium Low Encryption High Low High Medium Security Patches High Low Medium Low Security Hardening Medium Low Medium Low Database Access Controls Medium Medium Medium Low Data Scrambling Medium Low Low Low Single Sign‐on Low High High High
  • 11. R12 Upgrade Impacted Security Processes Oracle Applications Technical Components Oracle Applications Database Application Server Operating System 1.1 User Management 1. Account Security 1.3 Database Security 1.4 Network and Web 1.5 OS Security 1.2 Segregation of Duties 2.1 Data Management 2.2 Database Access  2. Data Security 2.3 Web Access  2.4 File Permissions and Privacy and Privileges Operational Processes 3. Auditing 3.1 Application Auditing 3.2 Database Auditing 3.3 Web Logging 3.4 OS Auditing 4. Monitoring and  4.1 Application 4.2 Database 4.3 Web and Forms 4.4 Operating System Troubleshooting 5.1 Object Migrations 5.3 Change Control 5. Change 5.5 Change Control 5.6 Change Control Management 5.2 Application  5.4 Database  Configuration Configuration 6.3 Application Server  6. Patching 6.1 Application Patches 6.2 Database Patches 6.4 OS Patches Patches 7.3 Web 7. Development 7.1 Application 7.2 Database 7.5 Shell and File Transfer 7.4 Web Services  and SOA
  • 12. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 13. 11i/R12 Architecture Differences Oracle EBS 11.5.10.2 Oracle EBS 12.1.3 Application Server Application Server circa Replaces 1999 JServ JServ OC4J Apache Apache 1.3.19 1.3.34 JSP (current is JSP Web Listener Web Listener 1.3.42 or BC4J Removed 2.2.17) BC4J in R12 modplsql UIX Reports Reports 8.0.6.3 Forms Oracle  Forms Home Oracle 9iAS 1.0.2.2.2 Oracle AS 10g 10.1.2/10.1.3 Version App Server Desupported Upgradable ~2005
  • 14. 11i/R12 Architecture Differences Oracle Database Upgrade − 9.2/10.2 replaced with 11.2 − 11.2 has TDE tablespace encryption Oracle Jinitiator ‐> Sun JRE − Improved support and standardization mod_plsql retired − Significant security vulnerabilities historically − Allowed direct execution of PL/SQL packages in database Forms Server ‐> Forms Listener Servlet − All network traffic through Apache server – no standalone port Oracle Reports ‐> XML Publisher − Improved security model and features
  • 15. Critical Patch Updates R12 Critical Patch Updates are cumulative − 11i introduced cumulative patches with January 2010 CPU Database Version Included CPU EBS Version Included CPU Upgrade Patch 10.2.0.4 April 2008 12.0.6 October 2008 11.1.0.6 October 2007 12.1.1 April 2009 11.1.0.7 January 2009 12.1.2 October 2009 11.2.0.1 January 2010 12.1.3 January 2011* 11.2.0.2 January 2011 * Estimated by Integrigy
  • 16. R12 Application Users Added New application accounts from 12.0.0 onward − INDUSTRY DATA − ORACLE12.0.0  − ORACLE12.1.0 − ORACLE12.2.0 − ORACLE12.3.0 − ORACLE12.4.0 − ORACLE12.5.0 − ORACLE12.6.0 − ORACLE12.7.0 − ORACLE12.8.0 − ORACLE12.9.0  All are active accounts with invalid passwords
  • 17. Database Accounts Added A new database account is added for each  new product module − Database accounts active with default password − Partial list of new module database accounts: CA, DDR, DNA, DPP, FTP, GMO,  IBW, INL, IPM, ITA, JMF, MTH,  PFT, QPR, RRS, 
  • 18. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 19. Protecting Database Accounts Use AFPASSWD rather than FNDCPASS − Lock Products Schema Accounts > AFPASSWD  –L  TRUE − Improved separation of duties − Fewer errors changing password with password confirmation  entry − See R12 SAG – Configuration Oracle 11g case sensitive passwords (12.1 only) − SEC_CASE_SENSITIVE_LOGON = TRUE − APPLSYSPUB must always be uppercase Change the APPLSYSPUB password − Finally works in R12 and supported by Oracle − Also make sure the password is changed in AutoConfig
  • 20. Web Server Traffic Encryption (SSL) Improved SSL support − Changed from mod_ssl ‐> mod_ossl − Uses Oracle Wallet for storing certificates − Only strong ciphers enabled and SSLv2 disabled Provides AutoConfig support for securing the  major communication routes with SSL. See Metalink Note ID 376700.1
  • 21. Advanced Configuration Wizards New “Advanced Configuration Wizards” for  complex setups of advanced configurations − Available through OAM − DNS load balancing − HTTP load balancing − SSL setup on web server − SSL Accelerator setup
  • 22. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 23. Oracle Connection Manager Oracle Connection Manager Supported − Advanced security to restrict database connections − Like Managed SQL*Net Access, but on steroids − See Metalink Note ID 558959.1
  • 24. RBAC and User Management Role Based Access Control (RBAC) − RBAC is an ANSI standard for access control − Allows for responsibilities to be assigned through roles − Role Inheritance and Role Categories − See Metalink Note ID 290525.1 Oracle User Management (UMX) − New user registration − Enhanced Forget Username/Password Functionality − New security wizards
  • 25. Proxy User Proxy User allows a user to specify a proxy  who can act on their behalf. − For example, an executive can designate an  assistant as a proxy, allowing that assistant to − Create, edit or approve transactions on behalf of  that executive Generally, avoid use due to auditing issues Can be used to solve the concurrent request  scheduling problem
  • 26. PCI PA‐DSS Oracle PA‐DSS Consolidated Patch for 12.1  − Reduces complexity of PCI DSS compliance − Fixes multiple functional weaknesses when processing  and viewing credit card data − Does not eliminate significant manual configuration for  PCI DSS − Only 12.1 is PA‐DSS compliant − See Metalink Note ID 984283.1 11i and 12.0 will not be PA‐DSS compliant − See Metalink Note ID 1101213.1
  • 27. R12 Upgrade Security Recommendations Include security tasks throughout the upgrade project − Implement high value, low effort security improvements and  enhancements − Leverage the “free” testing cycles Adhere to the Oracle Best Practices for Oracle EBS security − See Metalink Note ID 403537.1 − Written by Integrigy − Oracle has not updated since 2007 Validate the security configuration post‐upgrade − Perform a post‐upgrade security scan or review − Validate compliance against security best practices − Oracle E‐Business Suite is complex and “the devil is in the  details”
  • 28. Agenda Improving Security  R12 Security during the Upgrade Enhancements Q&A 1 2 3 4 5 11i and R12 R12 New Differences Security Features
  • 29. Upcoming Integrigy Events Webinar: Protecting You Sensitive Data − Wednesday, March 16, 2pm EDT COLLABORATE 11 – OAUG and IOUG − Protecting Sensitive Data in the Oracle E‐Business Suite − Securing the Oracle E‐Business Suite Best Practices Panel − Security Bootcamp: Real‐life Database Security Mistakes − Credit Cards and Oracle: How to Comply with PCI‐DSS − Real‐life E‐Business Suite Security Mistakes
  • 30. Integrigy Contact Information Stephen Kost e‐mail: info@integrigy.com Chief Technology Officer blog: integrigy.com/oracle‐security‐blog Integrigy Corporation For information on ‐ Oracle Database Security Oracle E‐Business Suite Security www.integrigy.com Oracle Critical Patch Updates Oracle Security Blog Copyright © 2011 Integrigy Corporation.  All rights reserved.