Learn about the top security risks and vulnerabilities specific to the Oracle E-Business Suite and why you should care! Whether your ERP is in the process of being implemented or has been in place for years, there are a number of security vulnerabilities commonly overlooked by implementation / support teams focused on project timing, budget, and functionality. This presentation is geared toward the end user community, system administrators, and other application support personnel and what they need to know to protect their Oracle EBS data from unauthorized access.
Amplify the participants’ overall security awareness
Share knowledge and experiences in securing Oracle EBS
Provide a detailed list of commonly overlooked security vulnerabilities, risks each pose, and how to fix or mitigate each
The Oracle Process Manufacturing Process Execution application tracks firm planned orders and production batches from incoming materials through to finished goods. Seamlessly integrated to the Product Development application, Process Execution converts planned orders to single or multiple production batches, allocates ingredients, records actual ingredient usage, and completes and closes production batches. Production inquiries and preformatted reports help optimize inventory costs while maintaining a high level of customer satisfaction with on-time delivery of high quality products.
To understand following features:
OPM Inventory conversion.
Material traceability: Enhanced material control
Dual UOM functionality.
Material Status control.
Advanced Lot control.
Lot indivisibility functionality.
Material aging workflow.
The Oracle Process Manufacturing Process Execution application tracks firm planned orders and production batches from incoming materials through to finished goods. Seamlessly integrated to the Product Development application, Process Execution converts planned orders to single or multiple production batches, allocates ingredients, records actual ingredient usage, and completes and closes production batches. Production inquiries and preformatted reports help optimize inventory costs while maintaining a high level of customer satisfaction with on-time delivery of high quality products.
To understand following features:
OPM Inventory conversion.
Material traceability: Enhanced material control
Dual UOM functionality.
Material Status control.
Advanced Lot control.
Lot indivisibility functionality.
Material aging workflow.
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.
As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.
MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.
MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes.
MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.
How can you significantly improve your web-app security by addressing the most common problems and incorporating the educational approach into the development process
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
SSO is not a new concept, even we’ve heard very much in your work or research. It's useful but it’s really belong to administration/management people? It's interesting for users but it's really complex and headache for someone implement it? Especially nowadays, we are in an age of Troika Computing: Cloud, Social Network, Mobile, Big data and federation problems. So, with being a professional organisation, or being a skilled member in development team, you will start from where? what is your knowledge about it? which methods will you choose to implement in your organisation? how to develop or intergrate to your customers' products? how does your organisation deploy to support customers and partners...
Oracle software can be tricky to manage and maintain a level of compliance. These slides offer key areas to review within your organisation and best practice guidelines to get better value from your investments.
December 2019 Microsoft 365 Need to Know WebinarRobert Crane
Slides from CIAOPS December 2019 webinar that provided Microsoft 365 news update, open Q & A as well as a focus session on security. Video recording is available at www.ciaopsacademy.com
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
OWASP Security Logging API easily extends your current log4j and logback logging with impressive features helpful for security, diagnostics/forensics, and compliance. Slide deck presentation from OWASP AppSecEU 2016 in Rome.
Databases are fundamentally changing due to new technologies and new requirements. This has never been more evident than with Oracle Database 12c, which has been the most rapidly adopted release in over a decade. This session provides a technical introduction to what's new in Oracle Database 12c and Oracle’s Engineered systems. We will describe which industry transformation inspired each enhancement and explain when and how you can embrace each enhancement while preserving your existing performance.
Similar to Learn About the Top Oracle E-Business Suite Security Vulnerabilities (20)
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoftOAUGNJ
Sales and use tax compliance is difficult to manage, especially if your process is manual. Join Avalara, our partner in sales tax compliance as we walk you thru the best ways to quickly and reliably determine sales tax, filing returns and efficiently manage exempt sales within Oracle. Participants will learn:
• How to protect their business from audits
• How to save time and money on sales tax compliance
• Why zip codes mean zip when it comes to sales tax
• Nexus: Where do you currently have a physical presence
• Product and Service Taxability: How are your products and services taxed
More and more, Organizations are considering off-premise hosting and cloud solutions for enterprise solutions. Other Organizations have strict policies to ensure critical and sensitive corporate systems stay within internal walls. This sessions explores what options are available for EPM solutions, including Oracle’s newly announced Planning and Budgeting on the Cloud Service.
PM 201: Emotional Intelligence for Project ManagersOAUGNJ
One of our key learning objectives is to help project managers understand the importance and balance of SMART with HEART. Both are major components of Emotional Intelligence (EQ). We will discuss where Emotional Intelligence is required in order to manage change effectively, lead others to the vision, and produce the desired results. We will review the history of EQ theory, the evolution of EQ models, measurement techniques to assess your EQ, and how to form a cohesive team using the five basic behaviors. Recognizing and facing the different types/maturity levels in EQ can and will lead to a smoother project.
Which OBIEE Mobile Solution is Right for my OrganizationOAUGNJ
Oracle Business Intelligence Enterprise Edition (OBIEE) has a few Mobile solutions to consume OBIEE data using Mobile devices, like Oracle BI Mobile apps, Mobile Apps using Mobile development tool kit and also OBIEE content consumed using the Mobile device browser directly. Attend this presentation to understand each of these Mobile solutions, the pros and cons of each option and use cases for each of these solutions.
When it comes to improving process efficiency for E-Business Suite, customers are often faced with many options: mobile apps, barcoding on various mobile devices, RFID, and so on. This presentation shares CSX and BullsEye’s experience on using mobile technologies to achieve the desired process efficiency improvement, including some less glamorous yet powerful solutions.
CSX will use the following case studies to share its corporate goals for investing in these projects, its process for solution evaluation, the implementation experience, the process efficiency achieved, and lessons learned.
1. Mobile barcode solution at 10 mechanical shops nationwide
2. RFID solution for automated asset tracking at the coal pier
3. Offline-enabled mobile barcode solution for remote work-order equipment trailers
Using CSX and other customer case studies, we will also provide guiding principles and tips on how to select the most appropriate mobile and other hardware devices for optimal efficiency gains while minimizing total cost of ownership.
1. Handheld barcode/RFID scanners
2. Vehicle mounts
3. Ruggedized vs. consumer grade tablets
4. Other less glamorous but powerful options
Last but not least, we will discuss factors beyond technology that contribute to successful process improvement initiatives such as corporate sponsorship, management support, and overcoming users’ initial fear and resistance to change.
Hyperion Foot Print Evolving with Contemporary Business NeedsOAUGNJ
Eliminating Allocations during monthly close in General Ledgers, single reporting tool, centralized data, consolidation of cubes, how does BI fit in etc., are becoming common themes these days.
In our role as system strategists and architects, we have to make the impossible possible. To our advantage, Oracle has been providing building blocks within the EPM and BI suite to address these complex contemporary needs. At this session, you will gain an insight into some of these practical challenges with which we at MasterCard are faced and what we are doing about it.
Preparing Your Own Strategic BI Vision and Roadmap: A Practical How-To GuideOAUGNJ
No single organizational initiative warrants preparation, planning and strategy more than the decision to invest in a Business Intelligence (BI) Program. Many organizations make BI one of their priorities because of the organization’s leadership direction. From a strategic perspective, information remains as one of the most valuable assets to an organization. True organizational responsiveness begins with an alignment of organizational strategy to a BI program. You will not want to miss this opportunity to understand the methodology needed to develop a BI Strategic Vision and Roadmap for your organization.
Turning your Excel Business Process Workflows into an Automated Business Inte...OAUGNJ
Many organizations have evolved key internal business processes built on top of Microsoft Excel. These cross-functional workflows involve several organizational units responsible for collecting business system transactions, modifying this raw data, consolidating, transforming, pivoting and preparing data into a published set of Reports & Graphs – all in MS Excel. Such workflows are a burden to organizations – not repeatable, costly, time-consuming, inflexible and hard to scale, and evolve to become more complex over time. Business critical processes such as financial analysis, operational analysis and revenue analysis are often supported this way. Attempting to replace such systems can be quite daunting and a barrier to replace. The goal of this session is to present an easy to understand methodology and use cases to demonstrate how to move from an operational workflow in Excel to truly automated Business Intelligence.
Harnessing the Power of Hyperion for Human Capital Reporting at ADP: 1 Year L...OAUGNJ
The Human Capital Management Reporting initiative at ADP has resulted in the successful delivery of enterprise reporting metrics across the organization. Working together with Innovus Partners, ADP has moved from multiple Workforce Planning applications used initially to prove the process was adaptable to the organization to an EPM solution leveraging Essbase BSO and ASO which allows for detailed analysis of the data set never before possible. The solution lifecycle, along with challenges faced and lessons learned will be discussed in this 'where are they now' presentation with the project team.
Upgrading to Oracle Hyperion Enterprise Performance Management 11.1.2.3 and B...OAUGNJ
Release 11.1.2.3—and beyond—of the Oracle Hyperion enterprise performance management family of applications delivers significant new application and technical functionality. This session discusses the details of the upgrade’s technical enhancements, provides practical advice on how to plan and execute an upgrade, and discusses the benefits of using the latest release, 11.1.2.3.500, of the Oracle Hyperion EPM platform. It includes case studies of customers that have upgraded and are seeing the benefits.
A Seamless 3rd Party Mobile Expense Reporting App Integration with Oracle iEx...OAUGNJ
This presentation will cover detailed information on Mobile server, Mobile Device Management (MDM) components, mobile app store, security and the application monitoring capabilities. A live mobile app demo will be presented to display the mobile app expense reporting functionalities. You’ll learn how to integrate a mobile app and to use your organization app store (MDM) running on AirWatch instead of a vendor public app store. The Oracle iExpense template mapping with expense reporting mobile app will be demonstrated in this presentation.
Big Data: The Road to Know More About Your BusinessOAUGNJ
Does your organization have a Big Data strategy or have you started your Big Data journey? Surveys are showing that Big Data has not been implemented in the majority of companies. The difficulty is that the amount of data the world is producing outstrips most companies’ ability to use it. This session will review the need for a big data strategy, how to get started and the critical success factors to ensure you are on the Big Data Road to Success. Companies are creating huge business value by capturing more data (particularly unstructured data) from social media, sensors and mobile devices. Learn how these companies got started and what they are doing to transform their business.
R12.2 is no more a new kid on the block. With its latest release of 12.2.4, it is much more stable and user adoption is increasing day-by-day. Upgrading to R12.2 is on the road map of nearly all Oracle E-business Suite customers and many organizations have already started planning their upgrades. In this session we provide 10 quick tips to consider while you plan this R12.2.4 upgrade.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
By Design, not by Accident - Agile Venture Bolzano 2024
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
1. Top Oracle E-Business Suite
Security Vulnerabilities
Christeen Russell, Crowe Horwath
2. Christeen Russell
• Senior Manager in the Technology Risk Group at Crowe Horwath
• Technology audit and implementation capabilities include:
• Oracle E-Business Suite 11i & R12
• Great Plains 10
• Microsoft CRM 4.0 & 2011
• Certified Public Accountant (CPA) - Illinois & New York
• Certified Information Systems Auditor (CISA)
3. Crowe Risk Consulting
We have more than 1,100 experienced practitioners with geographic,
functional, and industry expertise.
Crowe Horwath Global Risk Consulting
has been named a “Challenger” by
Gartner, Inc., in the “Magic Quadrant
for Global Risk Management
Consulting Services”, by Jacqueline
Heng and John A. Wheeler. The full
report can be reviewed at
www.crowehorwath.com/gartner
4. Objectives
1. Amplify the participants’ overall Oracle EBS security awareness
2. Share knowledge and experiences in securing Oracle EBS
3. Provide a detailed list of commonly overlooked Oracle EBS security
vulnerabilities, risks each pose, and how to fix or mitigate each
5. Top Security Concerns
• Seeded (default/generic) application accounts with known passwords (30+)
• Seeded database accounts with known passwords (200+)
• AZN menus
• Seeded responsibilities and menus
• Delegation authority and proxy users
• Direct database access through the application
• Defense against cross-site scripting (XSS), HTML injection attacks, and parameter and
URL tampering
• Weak default password settings
• Password setting “overrides”
• Protecting sensitive information
• Sensitive administrative pages
6. Why are These Top Security Concerns?
• Issues commonly seen in Oracle EBS environments
• Most are free and/or not complex to address
• Relevant to various releases
• Not well known
7. What are the Risks?
• Unauthorized access (to data and configuration settings), adversely
affecting transaction processing and data integrity
• Data exfiltration and leakage
• Non-compliance with regulations (SOX, PCI DSS/PA DSS, HIPPA, etc.)
• Non-compliance with company policy
• Potential to commit fraud
• Reputational harm
9. ID Overview
+30 seeded “generic” user ids: i.e. APPSMGR, IBEGUEST,
GUEST, SYSADMIN, WIZARDOracle EBS
Oracle EBS creates 200+ db accounts: i.e. APPS, APPLSYS,
SYS, SYSTEM, 100+ schema accountsOracle Database
oracle, applmgrOperating System
Oracle ships seeded accounts with widely known default passwords!
10. Privileged & Generic IDs
• Passwords are published on the internet and are typically “welcome”,
“Oracle”, or is the same as the id; i.e.
• MOBADM password is MOBADM
• ASGADM password is welcome
• Some IDs have privileged access
• New accounts are automatically added during upgrades, i.e.:
• 12.2.2 – GHG, APPS_NE
• 12.1.0 – DDR, DPP, INL, MTH, QPR, RRS
• 12.0.4 – IZU
• 12.0.0 – DNA, GMO, IBW, IPM, JMF
•2
.
2
.
2
–
G
H
G
,
A
P
P
S
_
N
E
•2
.
1
.
0
–
D
D
R
,
D
P
P
,
I
N
L,
M
T
H
,
Q
P
R
,
R
R
S
•2
.
0
.
4
–
I
Z
U
•2
.
0
.
0
–
D
N
A
,
G
M
O
,
I
B
W
,
I
P
M
,
J
M
F
•2
.
2
.
2
–
G
H
G
,
A
P
P
S
_
N
E
•2
.
1
.
0
–
D
D
R
,
D
P
P
,
I
N
L,
M
T
H
,
Q
P
R
,
R
R
S
•2
.
0
.
4
–
I
Z
U
•2
.
0
.
0
–
D
N
A
,
G
M
O
,
I
B
W
,
I
P
M
,
J
M
F
11. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
AME_INVALID_APPROVER AME workflow migration 11.5.9 to
11.5.10
Yes Yes
ANONYMOUS FND/AOL - Anonymous for non-logged
users
Yes Yes
APPSMGR Routine maintenance via concurrent
requests
No^ Yes
ASADMIN Application Server Administrator No^ Yes
ASGADM Mobile gateway related products Yes Yes*
ASGUEST Sales Application guest user Yes Yes*
AUTOINSTALL AD Yes Yes
CONCURRENT MANAGER FND/AOL: Concurrent Manager Yes Yes
FEEDER SYSTEM AD - Supports data from feeder system Yes Yes
^ it is not possible to login as this user unless you change the password
* Required for Mobile Sales, Service, and Mobile Core Gateway components. Or required for Sales Application. Or required for iStore.
12. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
GUEST Guest application user Yes No
IBE_ADMIN iStore Admin user Yes Yes*
IBE_GUEST iStore Guest user Yes Yes*
IBEGUEST iStore Guest user Yes Yes*
IEXADMIN Internet Expenses Admin Yes Yes
INDUSTRY DATA Used for PCI Security Demo No^ Yes
INITIAL SETUP AD Yes Yes
IRC_EMP_GUEST iRecruitment Employee Guest Login Yes Yes
IRC_EXT_GUEST iRecruitment External Guest Login Yes Yes
MOBADM Mobile Applications Development Yes Yes
MOBILEADM Mobile Applications Admin Yes Yes
MOBILEDEV Mobile Applications Development Yes Yes
Do not disable the GUEST account.
13. Seeded ID’s – Application Level
ID Purpose Change Password Disable Account
OP_CUST_CARE_ADMIN Customer Care Admin for Oracle
Provisioning
Yes Yes
OP_SYSADMIN OP (Process Manufacturing) Admin User Yes Yes
ORACLE12.0.0 to
ORACLE12.9.0
Owner for release specific seed data No^ No
PORTAL30 Oracle Portal and Portal Single Sign On
(desupported)
Yes Yes
PORTAL30_SSO Oracle Portal and Portal Single Sign On
(desupported)
Yes Yes
STANDALONE BATCH PROCESS FND/AOL Yes Yes
SYSADMIN Application Systems Admin Yes No
WIZARD AD Application Implementation Wizard Yes Yes
XML_USER Gateway Yes Yes
Do not disable the SYSADMIN account.
14. Other Generic ID’s – Application Level
• Search for other generic ID’s from the users table (fnd_users)
• SQL statement to identify users with:
• no “end_date”
• no “employee_id” and/or
• “last_logon_date” greater than a certain date
• Greatly narrow down your search through the user list
15. Seeded ID’s – Database Level
Schema Purpose Change Password
SYS Initial schema in any Oracle database Yes
SYSTEM Initial DBA User Yes
DBSNMP, SYSMAN, MGMT_VIEW Used for database status monitoring Yes
SCOTT Oracle db demo account Yes and lock the account
SSOSDK Single Sign On SDK Yes
JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS,
ORDSYS, OUTLN, OWAPUB, MGDSYS
Yes
PORTAL30_DEMO, PORTAL30_PUBLIC,
PORTAL30_SSO_PS, & PORTAL30_SSO_PUBLIC
Oracle Login Server and Portal 3.0.9 with E-
Business Suite 11i
Yes and lock PORTAL30_DEMO
if using 11i; otherwise lock all
PORTAL30, PORTAL30_SSO Oracle Login Server and Portal 3.0.9 with E-
Business Suite 11i
Yes and lock the schemas if not
using 11i
CTXSYS Used by Online Help and CRM service products
for indexing knowledge base data
Yes
16. Seeded ID’s – Database Level
Schema Purpose Change Password
EDWREP Embedded Data Warehouse Metadata
Repository
Yes, but if not using Embedded Data
Warehouse, then lock and expire EDWREP
ODM Oracle Data Manager Yes
APPLSYSPUB Verifies the username/password combination and the
records the success or failure of a login attempt. R12
only
Yes (must be all upper case)
APPLSYS Contains shared APPS objects Yes, use a long secure password
APPS Runtime user for E-Business Suite.
Owns all of the applications code in the
database
Yes, use a long secure password
APPS_mrc Obsolete account Yes, use a long secure password
AD_MONITOR
EM_MONITOR
Oracle Applications Manager uses this schema to
monitor running patches. Although the default
password for
AD_MONITOR is 'lizard', the schema is created locked
and expired.
Yes
17. Seeded ID’s – Database Level
ABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF
ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV
BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF
CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP
CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO
ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV
GCS GL GHG GMA GMD GME GMF GMI GML GMO GMP GMS GR
HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB
IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL
INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS
LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE
OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM
OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON
POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA
RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP
XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX
• By default the password is the same as the SCHEMA name
• Change all of these schema passwords
200+
DB schemas shipped
with Oracle EBS
New schemas are created
during upgrades
18. Control Seeded ID’s
• Change the password and disable the account where recommended
• Changed passwords should be “sealed”
• For accounts where the password cannot be changed and/or disabled
log activity performed using the accounts (manual logins)
• Setup alerts or have periodic reviews of activity
• Consult Oracle Metalink Note 403537.1.
20. Restricted Access & Segregation of Duties
• Defined as users with too much or conflicting access
• Risk:
• Unauthorized transactions, erroneous transactions, or fraudulent activity
• Users with combined access privileges to modify system configuration settings along
with business transaction execution access increases the risk that application
controls dependent upon configuration settings will be circumvented
• Data leakage or exfiltration
• So let’s discuss:
• AZN’s
• Seeded menus and responsibilities
• Delegation authority
• Proxy users
21. Process Tab / AZN
• Click an icon to gain immediate access to the associated form
• In this example, the user most likely has “end-to-end” access in the purchase to payments process
Traditional way to access functions Process tab access
22. Process Tab / AZN - continued
• Potential Segregation of Duties
Conflicts!!
• NOTE: Many do not know this
additional access exists.
Example of a menu with an AZN submenu (menus are assigned to responsibilities):
25. Seeded Menus & Responsibilities
• Should not be used nor copied and renamed
• These are not “perfect” and also may contain AZN menus, leading to:
• Excessive access
• Segregation of duties conflicts
• Example: Seeded Receivables Inquiry is not limited to view only
• Create auto adjustments
• Write off receipts
• Open and close periods
• May re-introduce the aforementioned issues during upgrades/patches if using
standard menus
26. User Management - UMX
• Delivers Role Based Access Control (RBAC)
• Groups responsibilities, permission sets, and data security rules
• Common user registration workflow
• Forgotten password functionality
• Security decentralization
• Proxies
27. Delegated Administration
• Delegate local admins to perform system administration for a subset
of users and roles
• Risks:
• The “users” form in the User Management screen (UMX) does not allow one
to establish a password expiration
• How do you ensure any remote locations are compliant with corporate
security policies
28. Password Expiration
• Set at the User level
• Can set the “Password Expiration”
to either:
• Days
• Accesses
• None
• By default user passwords do not
periodically expire
• Create a personalization
• Periodic review or alert
29. Manage Proxies
• Allows a user to determine who can act their behalf for a time
• Equivalent to sharing your username and password
• Activity performed by another is logged under the delegator’s username
• R12.2 introduced
• “Designate proxy” to all users as a default
• “All or nothing is gone”, can now select certain responsibilities and workflows to delegate
• This should not be used without a business case and compensating controls
• User’s access does not appear in the system administrator module
• Run script to see if proxies exist
30. Proxy
• The delegate can't view what s/he did as someone’s proxy
• Periodically review the proxy report which shows all navigation
completed by the proxy user:
32. Profile Options
• Affects security, processes, controls
• 8000+ profile options
• Set at one or more levels.
• User takes precedence over the
other levels
• Site level has the lowest priority
• Some maintained by users, most
maintained by the SA responsibility
User
Responsibility
Application
(module)
Site
Takes Precedence
33. Profile Options – Diagnostics
• Utilities: Diagnostic & FND: Diagnostics
• These profile options should be set to “No” at all levels
• Risk: Allows users to change individual database records
• Hide Diagnostics Menu Entry
• Hides the diagnostic menu from users
• Profile option should be set to “Yes”
• The default is "No" or NOT hidden
34. Profile Options – Diagnostics – 12.1.3+ only
• Assign the “FND Diagnostics menu
Examine Read Only” function to a
Menu
• Ensure the profile option “Hide
Menu Entry” is set to No
• Grant the seeded permission set to
a role
• Assign the role to a user
• APPS password not required in
read-only mode
35. Profile Options – Information Leakage
• Set of profile options that
can defend against:
• Cross-site scripting (XSS)
• HTML injection attacks
• Parameter and URL
tampering
• Can lead to data leaks
Profile Option^ Default Recommended
FND Validation Level Error (as of R12) Error*
FND Function Validation
Level
Error (as of 11.5.10) Error*
Framework Validation
Level
Error (as of 11.5.10) Error*
Restrict Text Input Yes Yes
IRC: XSS Filter Null Enabled
FND: Fixed Key Enabled Null Yes
FND: Fixed Key None Yes, only at User
level
*R12.2 does not allow the profile option value to be changed
^ at Site level unless otherwise stated
36. Profile Options – Others
Profile Option^ Purpose Default Recommended
Concurrent:Report
Access Level
Determines access privileges to report
output files and log files generated by a
concurrent program
User User
Sign-On:Notification Warns users of key events such as failed
concurrent requests, failed login attempts,
and incorrect default printer settings
No Yes
Personalize Self-
Service Defn
Enables or disables the global Personalize
Page link that appears on each self-service
web application page
No No – Site level
Yes – User level for
approved individuals only
FND: Developer Mode Enables the Edit Region global button. Also
enables Developer Test Mode diagnostics.
Null No
Yes – User level for
approved individuals only
^ at Site level unless otherwise stated
37. Profile Options – Password Settings
• By default Oracle does not set strong password parameters
• Different studies have shown that passwords of 10 characters with a
symbol can take “years” to break by high powered computers
Profile Oracle Default Recommended (Site)
Sign-on Password Case None Sensitive
Sign-on Password Failure Limit None 3 (attempts)
Sign-on Password Hard to Guess No Yes
Sign-on Password Length 5 8 to 10 (characters)
Sign-on Password No Reuse None 180+ (days)
44. Sensitive Information
• Challenge: Finding the sensitive data
• 11 modules consisting of 20 known tables that display credit card data
• Are CCN, SSN, etc. stored in other non-designated fields (i.e. misc. fields)?
• Encrypt, restrict access
• Options include:
• SQL scripts
• EBSCheckCCEncryption.sql - Checks whether credit cards are encrypted in ‘Immediate’
mode
• Third party products
• Oracle AMP Data Scrambling
• Oracle OEM Data Masking
45. Non-Production / Cloning
• When environments are cloned from production sometimes users access
increases (additional users, additional privileged) and configuration
settings get changed
• Controls:
• Change passwords of privileged ids when cloning to the app and db levels
• Metalink No. 419475.1 “Removing Credentials from a Cloned EBS Production Database”
• Scramble key data:
• Employee name, address, social security number, compensation details
• Customer name, address, credit card data
• Risks:
• Data confidentiality is breached
• Data is exfiltrated
• Privileged access to production
47. Sensitive Administrative Pages
• Some Oracle forms and pages allow for modification of the
application:
• Oracle Forms Controlled by Function Security (~47)
• HTML Pages Controlled by Function Security (~21)
• Functionality Controlled by Profile Options (3)
• Pages Controlled by JTF Permissions and Roles (3)
• Most of these are accessible only from SA menus and responsibilities,
where access should already be limited
• Eliminate or minimize access to these screens in a production system
• Oracle has published an SQL query to who has access to the forms
and pages, see MOS Note 1334930.1
50. Best Practices
• On going monitoring of:
• Privileged IDs
• Generic IDs
• Key configuration (i.e. responsibilities, menus, profile options)
• Users without password expirations
• Proxies
• Approval processes are in place when making changes to
configuration and users