Oracle E-Business Suite 12.2 Mobile Application Security

This is the tenth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Oracle Corporation has been building out Mobile and Smartphone applications for the Oracle E-Business Suite for a number of releases. Before release 12.2.5, this functionality was designed only for deployment through a corporate VPN, not through an Oracle E-Business Suite external node over the Internet (e. (more...)

Oracle Unified Auditing Performance Issues and 12.2 Improvements

For those of you using and/or considering Unified Auditing, in case you might have missed, Oracle has made significant changes to Unified Auditing in 12.2. Unified Auditing, new in Oracle 12c, represents a complete rewrite of how native database auditing works - see the links below for Integrigy research on Unified Auditing.

With Oracle 12.1, when using Unified Auditing, reads of the UNIFIED_AUDIT_TRAIL view were not performant. With Oracle 12.2, a new (more...)

Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle (more...)

Guide to PeopleSoft Logging and Auditing – Revised Whitepaper

After discussions at Collaborate2017 with several PeopleSoft architects we have revised our Guide to PeopleSoft Auditing. The key change is the recommendation NOT to use PeopleSoft’s native database auditing and to instead use Oracle Fine Grained Auditing (FGA). FGA comes free with the Enterprise Edition of the Oracle RDBMS and, not only is it easier to implement, FGA does not have the performance impact of PeopleSoft’s native auditing.

If you have questions, please contact us at info@integrigy. (more...)

Oracle Audit Trail Add Program Name

The program name attribute (V$SESSION.PROGRAM) is not by default passed to Oracle’s audit logs. It can be optionally included. To do so, apply Patch 7023214 on the source database. After the patch is applied, the following event needs to be set:

ALTER SYSTEM SET
           EVENT='28058 trace name context forever'
           COMMENT='enable program logging in audit trail' SCOPE=SPFILE;

The table below summarizes key session attributres (V$SESSION) the are passed/not passed to Oracle auditing

Oracle Audit Trails

Session (more...)

Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – (more...)

New Online Oracle Security PUBLIC Training Dates Including USA Time Zones

We have just agreed three new online classes to be taught in June and July. These are for my two day class How to perform a security audit of an Oracle database. The classes are two day events and will....[Read More]

Posted by Pete On 12/04/17 At 02:17 PM

PeteFinnigan.com In The Top 60 Oracle Database Blogs

I got a couple of emails over the last couple of weeks from Anuj at FeedSpot to tell me that my blog (This Oracle Security blog) has been listed in the top 60 Oracle Database blogs on the Feedspot website....[Read More]

Posted by Pete On 11/04/17 At 09:37 AM

Oracle E-Business Suite 12.2 Web Services Security: Authentication and Authorization

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are (more...)

Oracle Security Training Manuals For Sale

I had a reason today to go to our company storage for something today and whilst moving other things around to find what I needed I discovered two A4 boxes with printed manuals for some of our recent training classes....[Read More]

Posted by Pete On 05/04/17 At 02:22 PM

Oracle Listener Security New ORACLE 12.2 Firewall Feature

Service-Level ALCs is a new feature of the 12.2 Listener that allows every database service to have its own ACL. The ACL must be based on IP addresses and this feature allows multitenant pluggable databases (PDBs) to each have an ACL enforced by the Listener. This is because each PDB is a unique service registered in the Listener.

To implement this feature a new parameter FIREWALL must be used and has the following options:

How to Perform a Security Audit of an Oracle Database Training in Athens, Greece

I will be teaching my two days class How to Perform a Security Audit of an Oracle Database in Athens, Greece on May 16th and 17th 2017 organised by Oracle University. This is a great class that helps you understand....[Read More]

Posted by Pete On 04/04/17 At 02:45 PM

Oracle Database Listener Security Guide – Rewritten For Oracle 12.2

In October 2002 Integrigy first posted a guide to securing the Oracle Listener. Since then this whitepaper has been our most popular download. This month we rewrote the whitepaper for Oracle 12c, inclusive of 12.2

Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. This whitepaper is an overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are (more...)

Is SQL Injection A WebSite Problem?

I saw a post on RobLockards Facebook page this week where he said some people have suggested that his SQL Injection talk only shows calling a procedure from SQLCl and not a web page and he suggests that he may....[Read More]

Posted by Pete On 31/03/17 At 03:38 PM

Oracle E-Business Suite Mobile and Web Services Security Explained – Starting with URL Firewall

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely (more...)

Creditcard and Bank Account Decryption No Longer Possible in Oracle E-Business Suite

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that (more...)

Deploying Oracle E-Business Suite 12.2 SOAP Web Services

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. (more...)

Can You Say That An Oracle Database is nn% secure?

I often get this type of question from customers and also from people I speak to and even a few times by email. The question is "can you tell us how secure our database is?", is it 10% secure, is....[Read More]

Posted by Pete On 23/03/17 At 03:22 PM

PFCLScan – A Security Scanner For Oracle Databases – New Website

Our software product PFCLScan can be used to assess your Oracle databases for security issues that could make your data vulnerable to loss or attack. PFCLScan initially had its own website, PFCLScan.com but since the restyle and redesign of our....[Read More]

Posted by Pete On 22/03/17 At 08:24 PM

Integrigy Collaborate17 Schedule – Nine Presentations on Oracle, E-Business Suite and PeopleSoft Security

Integrigy is presenting nine (9) papers this year at Collaborate17 (https://collaborate.oaug.org/) Below is our schedule. If you have questions, or would like to meet with us while at Collaborate17, please conact us at info@integrigy.com.

Sunday Apr 02, 2017

1:45 PM     2:45 PM

Oracle E-Business Suite 12.2 Security Enhancements

https://app.attendcollaborate.com/event/member?item_id=5621519

Banyan E

Speaker: Stephen Kost

1:45 PM     2:45 PM

How to Control and Secure Your DBAs and Developers (more...)