Oracle Security Training

Yesterday I made a short video to talk about my two day class " How to Perform a Security audit of an Oracle database " and added the video to YouTube. This class is going to be delivered at a....[Read More]

Posted by Pete On 26/05/17 At 09:39 AM

O7_DICTIONARY_ACCESSIBILITY and UTL_FILE_DIR in Oracle 12c release 2

I was not in the beta program for Oracle database 12c release 2 but when I was discussing security changes in the new release with some people who were in the beta they told me that O7_DICTIONARY_ACCESSIBILITY and utl_file_dir parameters....[Read More]

Posted by Pete On 23/05/17 At 04:17 PM

SCAP OVAL SQL57_TEST Example For Oracle E-Business Suite

Last week I posted a blog introducing SCAP and OVAL. Here is a quick follow-up with a link to a sql57_test example using the Oracle E-Business Suite - it will suffice for any Oracle database.

A great book to read first on SCAP titled ‘Security Automation Essentials’ for $15 on Amazon is a must read:  https://www.amazon.com/Security-Automation-Essentials-Streamlined-Communication/dp/0071772510. I would highly recommend this book to anyone interested in SCAP and much thanks to Witte, Cook, Kerr and Shaffer (more...)

STIGS, SCAP, OVAL, Oracle Databases and ERP Security

Last week’s unprecedented ransomware cyber attacks (http://preview.tinyurl.com/lhjfjgk) caught me working through some research on security automation. The cyber attacks evidently were attributed to an unpatched Windows XP vulnerability. When challenged with securing 1,000s of assets such as all the Windows desktops and Linux servers in an organization, automation quickly becomes a requirement.

Automation is increasingly coming up in our client conversations about how to secure the technology ‘stack’ supporting large ERP (more...)

Oracle E-Business Suite APPS_NE Security Risks

The most recent version of the Oracle E-Business Suite, Release 12.2, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or (more...)

Oracle Security 12cR2 and Oracle Security Training Dates

I am going to be teaching my two day class "How to perform a security audit of an Oracle database" in Athens, Greece on the 30th and 31st May 2017. This is advertised on Oracle University website and you can....[Read More]

Posted by Pete On 08/05/17 At 03:51 PM

Recommended Approach for Oracle E-Business Suite 12.2 Mobile and Web Services Security

This is the eleventh and final posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Deploying Internet-based Oracle E-Business Suite web services requires proper configuration of the URL Firewall, both the url_fw.conf and url_fw_ws.conf and the use of a WAF – ideally the Oracle API Gateway. This recommendation applies equally to all whose only use of web services is (more...)

Oracle E-Business Suite APPLSYS, APPS and APPS_NE

The evolution of the Oracle E-Business Suite since its inception in the late 1980s has gone through many significant changes. For example, I can personally remember in the late 1990s upgrading clients to release 10.5 of the E-Business Suite with the big change being the introduction of the APPS schema.

The introduction of the APPS schema greatly simplified the technical interdependencies of the then 40+ applications of Release 10.5 of the E-Business Suite. The (more...)

Oracle 12cR2 Security – Listener Port

I downloaded Oracle 12cR2 from Oracle when it became available in March and installed a legacy SE2 database and also a single PDB multitenant database and started some investigations to discover and look at the new security features added in....[Read More]

Posted by Pete On 01/05/17 At 01:03 PM

Oracle E-Business Suite 12.2 Mobile Application Security

This is the tenth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Oracle Corporation has been building out Mobile and Smartphone applications for the Oracle E-Business Suite for a number of releases. Before release 12.2.5, this functionality was designed only for deployment through a corporate VPN, not through an Oracle E-Business Suite external node over the Internet (e. (more...)

Oracle Unified Auditing Performance Issues and 12.2 Improvements

For those of you using and/or considering Unified Auditing, in case you might have missed, Oracle has made significant changes to Unified Auditing in 12.2. Unified Auditing, new in Oracle 12c, represents a complete rewrite of how native database auditing works - see the links below for Integrigy research on Unified Auditing.

With Oracle 12.1, when using Unified Auditing, reads of the UNIFIED_AUDIT_TRAIL view were not performant. With Oracle 12.2, a new (more...)

Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle (more...)

Guide to PeopleSoft Logging and Auditing – Revised Whitepaper

After discussions at Collaborate2017 with several PeopleSoft architects we have revised our Guide to PeopleSoft Auditing. The key change is the recommendation NOT to use PeopleSoft’s native database auditing and to instead use Oracle Fine Grained Auditing (FGA). FGA comes free with the Enterprise Edition of the Oracle RDBMS and, not only is it easier to implement, FGA does not have the performance impact of PeopleSoft’s native auditing.

If you have questions, please contact us at info@integrigy. (more...)

Oracle Audit Trail Add Program Name

The program name attribute (V$SESSION.PROGRAM) is not by default passed to Oracle’s audit logs. It can be optionally included. To do so, apply Patch 7023214 on the source database. After the patch is applied, the following event needs to be set:

ALTER SYSTEM SET
           EVENT='28058 trace name context forever'
           COMMENT='enable program logging in audit trail' SCOPE=SPFILE;

The table below summarizes key session attributres (V$SESSION) the are passed/not passed to Oracle auditing

Oracle Audit Trails

Session (more...)

Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – (more...)

New Online Oracle Security PUBLIC Training Dates Including USA Time Zones

We have just agreed three new online classes to be taught in June and July. These are for my two day class How to perform a security audit of an Oracle database. The classes are two day events and will....[Read More]

Posted by Pete On 12/04/17 At 02:17 PM

PeteFinnigan.com In The Top 60 Oracle Database Blogs

I got a couple of emails over the last couple of weeks from Anuj at FeedSpot to tell me that my blog (This Oracle Security blog) has been listed in the top 60 Oracle Database blogs on the Feedspot website....[Read More]

Posted by Pete On 11/04/17 At 09:37 AM

Oracle E-Business Suite 12.2 Web Services Security: Authentication and Authorization

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are (more...)

Oracle Security Training Manuals For Sale

I had a reason today to go to our company storage for something today and whilst moving other things around to find what I needed I discovered two A4 boxes with printed manuals for some of our recent training classes....[Read More]

Posted by Pete On 05/04/17 At 02:22 PM

Oracle Listener Security New ORACLE 12.2 Firewall Feature

Service-Level ALCs is a new feature of the 12.2 Listener that allows every database service to have its own ACL. The ACL must be based on IP addresses and this feature allows multitenant pluggable databases (PDBs) to each have an ACL enforced by the Listener. This is because each PDB is a unique service registered in the Listener.

To implement this feature a new parameter FIREWALL must be used and has the following options: