Académique Documents
Professionnel Documents
Culture Documents
UpgradeSecurityinYour OracleR12Upgrade
StephenKost ChiefTechnologyOfficer IntegrigyCorporation
NCOAUGWinter2011 February25,2011
IntegrigyOverview
IntegrigyCorporationisaleaderinapplicationsecurityforenterprise missioncriticalapplications.AppSentry,ourapplicationanddatabase securityassessmenttool,assistscompaniesinsecuringtheirlargestand mostimportantapplicationsthroughdetailedsecurityauditsandactionable recommendations.IntegrigyConsultingofferscomprehensivesecurity assessmentservicesforleadingdatabasesandERPapplications,enabling companiestoleverageourindepthknowledgeofthissignificantthreatto businessoperations.
CorporateDetails
FoundedDecember2001 PrivatelyHeld BasedinChicago,Illinois
Background
Speaker
StephenKost
CTOandFounder 16yearsworkingwithOracle 12yearsfocusedonOracle security DBA,AppsDBA,technical architect,ITsecurity, SecurityDesignandAssessmentof OracleDatabases SecurityDesignandAssessmentof theOracleEBusinesssuite AppSentry SecurityAssessment SoftwareTool
Company
IntegrigyCorporation
Integrigybridgesthegapbetween databasesandsecurity
IntegrigySecurityAlerts
SecurityAlert
CriticalPatchUpdateJuly2008 CriticalPatchUpdateApril2008 CriticalPatchUpdateJuly2007 CriticalPatchUpdateOctober2005 CriticalPatchUpdateJuly2005 CriticalPatchUpdateApril2005 CriticalPatchUpdateJan2005 OracleSecurityAlert#68 OracleSecurityAlert#67 OracleSecurityAlert#56 OracleSecurityAlert#55 OracleSecurityAlert#53
Versions
Oracle11g 11.5.8 12.0.x 12.0.x 11.5.7 11.5.10 12.0.x 11.5.1 11.5.10 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x Oracle8i,9i,10g 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 10.7,11.0.x 11.5.1 11.5.8
SecurityVulnerabilities
2IssuesinOracleRDBMSAuthentication 2OracleEBusinessSuitevulnerabilities 8vulnerabilities,SQLinjection,XSS,information disclosure,etc. 11vulnerabilities,SQLinjection,XSS,information disclosure,etc. Defaultconfigurationissues SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Bufferoverflows Listenerinformationleakage 10SQLinjectionvulnerabilities BufferoverflowinFNDWRR.exe MultiplevulnerabilitiesinAOL/JSetupTest Obtainsensitiveinformation(validsession) NoauthenticationinFNDFSprogram RetrieveanyfilefromO/S
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
WhydoSecurityduringtheupgrade?
1
TechnologyStackUpgrades
Newversion=newsecurityfeatures Resetofsecuritypatching shouldbecurrentatgolive
Functional,Technical,&StressTesting
Functionalapplicationtesting Performanceandstresstesting
ModificationstoCustomizations
Someormanycustomizationsmustbeupgraded Idealtimetoreviewdevelopmentstandards
TraditionalR12UpgradeProject
Evaluate
Plan
Test
Upgrade
Post Upgrade
SecurityAwareR12UpgradeProject
Goal:Highsecurityvalue,lowprojecteffort,majortestingrequired,lowprojectrisk Post Upgrade
Implement securityprocess improvements Postupgrade securityreview
Evaluate
Securityand compliancegapanalysis Reviewnewapplication andtechnologystack securityfeatures
Plan
Test
Functionaland technicaltestnew securityfeatures Performancetest auditing enhancements
Upgrade
ExampleUpgradeSecurityEnhancements
Security Enhancement Security Value High High High High Medium Medium Medium Low Project Effort Medium Low Low Low Low Medium Low High Testing Required High Medium High Medium Medium Medium Low High Project Risk Medium Low Medium Low Low Low Low High
R12UpgradeImpactedSecurityProcesses
OracleApplicationsTechnicalComponents OracleApplications Database ApplicationServer OperatingSystem
1.1UserManagement
1. AccountSecurity
1.2SegregationofDuties 2.1DataManagement andPrivacy 3.1ApplicationAuditing
1.3DatabaseSecurity
1.4NetworkandWeb
1.5OSSecurity
2.3WebAccess
2.4FilePermissions
3.3WebLogging
3.4OSAuditing
4.1Application
4.2Database
4.3WebandForms
4.4OperatingSystem
5.1ObjectMigrations
5.3ChangeControl 5.5ChangeControl 5.6ChangeControl 5.4Database Configuration 6.2DatabasePatches 6.3ApplicationServer Patches 7.3Web 7.4WebServicesandSOA 6.4OSPatches
5.Change Management
6.Patching 7.Development
7.1Application
7.2Database
7.5ShellandFileTransfer
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
11i/R12ArchitectureDifferences
OracleEBS11.5.10.2
ApplicationServer
OracleEBS12.1.3
ApplicationServer
circa 1999
JServ
Apache 1.3.19
WebListener
Removed inR12
AppServer Upgradable
OracleAS10g10.1.2/10.1.3
11i/R12ArchitectureDifferences
OracleDatabaseUpgrade
9.2/10.2replacedwith11.2 11.2hasTDEtablespace encryption
OracleJinitiator >SunJRE
Improvedsupportandstandardization
mod_plsql retired
Significantsecurityvulnerabilitieshistorically AlloweddirectexecutionofPL/SQLpackagesindatabase
FormsServer>FormsListenerServlet
AllnetworktrafficthroughApacheserver nostandaloneport
OracleReports>XMLPublisher
Improvedsecuritymodelandfeatures
CriticalPatchUpdates
R12CriticalPatchUpdatesarecumulative
11iintroducedcumulativepatcheswithJanuary2010CPU
DatabaseVersion UpgradePatch 10.2.0.4 11.1.0.6 11.1.0.7 11.2.0.1 11.2.0.2 Included CPU April2008 October2007 January2009 January2010 January2011 EBSVersion 12.0.6 12.1.1 12.1.2 12.1.3 Included CPU October2008 April2009 October2009 January2011*
*EstimatedbyIntegrigy
R12ApplicationUsersAdded
Newapplicationaccountsfrom12.0.0onward
INDUSTRYDATA ORACLE12.0.0 ORACLE12.1.0 ORACLE12.2.0 ORACLE12.3.0 ORACLE12.4.0 ORACLE12.5.0 ORACLE12.6.0 ORACLE12.7.0 ORACLE12.8.0 ORACLE12.9.0
DatabaseAccountsAdded
Anewdatabaseaccountisaddedforeach newproductmodule
Databaseaccountsactivewithdefaultpassword Partiallistofnewmoduledatabaseaccounts:
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
ProtectingDatabaseAccounts
UseAFPASSWDratherthanFNDCPASS
LockProductsSchemaAccounts
> AFPASSWDLTRUE
Oracle11gcasesensitivepasswords(12.1only)
SEC_CASE_SENSITIVE_LOGON=TRUE APPLSYSPUBmustalwaysbeuppercase
ChangetheAPPLSYSPUBpassword
FinallyworksinR12andsupportedbyOracle AlsomakesurethepasswordischangedinAutoConfig
WebServerTrafficEncryption(SSL)
ImprovedSSLsupport
Changedfrommod_ssl >mod_ossl UsesOracleWalletforstoringcertificates OnlystrongciphersenabledandSSLv2disabled
AdvancedConfigurationWizards
NewAdvancedConfigurationWizardsfor complexsetupsofadvancedconfigurations
AvailablethroughOAM DNSloadbalancing HTTPloadbalancing SSLsetuponwebserver SSLAcceleratorsetup
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
OracleConnectionManager
OracleConnectionManagerSupported
Advancedsecuritytorestrictdatabaseconnections LikeManagedSQL*NetAccess,butonsteroids SeeMetalinkNoteID558959.1
RBACandUserManagement
RoleBasedAccessControl(RBAC)
RBACisanANSIstandardforaccesscontrol Allowsforresponsibilitiestobeassignedthroughroles RoleInheritanceandRoleCategories SeeMetalinkNoteID290525.1
OracleUserManagement(UMX)
Newuserregistration EnhancedForgetUsername/PasswordFunctionality Newsecuritywizards
ProxyUser
ProxyUserallowsausertospecifyaproxy whocanactontheirbehalf.
Forexample,anexecutivecandesignatean assistantasaproxy,allowingthatassistantto Create,editorapprovetransactionsonbehalfof thatexecutive
PCIPADSS
OraclePADSSConsolidatedPatchfor12.1
ReducescomplexityofPCIDSScompliance Fixesmultiplefunctionalweaknesseswhenprocessing andviewingcreditcarddata Doesnoteliminatesignificantmanualconfigurationfor PCIDSS Only12.1isPADSScompliant SeeMetalinkNoteID984283.1
11iand12.0willnotbePADSScompliant
SeeMetalinkNoteID1101213.1
R12UpgradeSecurityRecommendations
Includesecuritytasksthroughouttheupgradeproject
Implementhighvalue,loweffortsecurityimprovementsand enhancements Leveragethefreetestingcycles
AdheretotheOracleBestPracticesforOracleEBSsecurity
SeeMetalinkNoteID403537.1 WrittenbyIntegrigy Oraclehasnotupdatedsince2007
Validatethesecurityconfigurationpostupgrade
Performapostupgradesecurityscanorreview Validatecomplianceagainstsecuritybestpractices OracleEBusinessSuiteiscomplexandthedevilisinthe details
Agenda
ImprovingSecurity duringtheUpgrade R12Security Enhancements
Q&A
2
11iandR12 Differences
R12New SecurityFeatures
UpcomingIntegrigyEvents
Webinar:ProtectingYouSensitiveData
Wednesday,March16,2pmEDT
COLLABORATE11 OAUGandIOUG
ProtectingSensitiveDataintheOracleEBusinessSuite SecuringtheOracleEBusinessSuiteBestPracticesPanel SecurityBootcamp:ReallifeDatabaseSecurityMistakes CreditCardsandOracle:HowtoComplywithPCIDSS ReallifeEBusinessSuiteSecurityMistakes
IntegrigyContactInformation
StephenKost ChiefTechnologyOfficer IntegrigyCorporation
email:info@integrigy.com blog:integrigy.com/oraclesecurityblog
Forinformationon
www.integrigy.com
Copyright2011IntegrigyCorporation.Allrightsreserved.