Scribd Logo
Importer

Bienvenue sur Scribd !

  • Upgrade Security in Your r12 Upgrade

    Transféré par

    subbaraocrm
    106 vues30 pages
    Integrigy Corporation is a leader in application security for enterprise mission-critical applications. Our application and database security assessment tool, assists companies in securing their largest and most important applications.

    Description originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Integrigy Corporation is a leader in application security for enterprise mission-critical applications. Our application and database security assessment tool, assists companies in securing their largest and most important applications.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    106 vues30 pages

    Upgrade Security in Your r12 Upgrade

    Transféré par

    subbaraocrm
    Integrigy Corporation is a leader in application security for enterprise mission-critical applications. Our application and database security assessment tool, assists companies in securing their largest and most important applications.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 30

    missioncriticalapplications missioncriticalsecurity

    UpgradeSecurityinYour OracleR12Upgrade
    StephenKost ChiefTechnologyOfficer IntegrigyCorporation

    NCOAUGWinter2011 February25,2011

    IntegrigyOverview
    IntegrigyCorporationisaleaderinapplicationsecurityforenterprise missioncriticalapplications.AppSentry,ourapplicationanddatabase securityassessmenttool,assistscompaniesinsecuringtheirlargestand mostimportantapplicationsthroughdetailedsecurityauditsandactionable recommendations.IntegrigyConsultingofferscomprehensivesecurity assessmentservicesforleadingdatabasesandERPapplications,enabling companiestoleverageourindepthknowledgeofthissignificantthreatto businessoperations.

    CorporateDetails
    FoundedDecember2001 PrivatelyHeld BasedinChicago,Illinois

    Background
    Speaker
    StephenKost
    CTOandFounder 16yearsworkingwithOracle 12yearsfocusedonOracle security DBA,AppsDBA,technical architect,ITsecurity, SecurityDesignandAssessmentof OracleDatabases SecurityDesignandAssessmentof theOracleEBusinesssuite AppSentry SecurityAssessment SoftwareTool

    Company
    IntegrigyCorporation
    Integrigybridgesthegapbetween databasesandsecurity

    IntegrigySecurityAlerts
    SecurityAlert
    CriticalPatchUpdateJuly2008 CriticalPatchUpdateApril2008 CriticalPatchUpdateJuly2007 CriticalPatchUpdateOctober2005 CriticalPatchUpdateJuly2005 CriticalPatchUpdateApril2005 CriticalPatchUpdateJan2005 OracleSecurityAlert#68 OracleSecurityAlert#67 OracleSecurityAlert#56 OracleSecurityAlert#55 OracleSecurityAlert#53

    Versions
    Oracle11g 11.5.8 12.0.x 12.0.x 11.5.7 11.5.10 12.0.x 11.5.1 11.5.10 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x Oracle8i,9i,10g 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 10.7,11.0.x 11.5.1 11.5.8

    SecurityVulnerabilities
    2IssuesinOracleRDBMSAuthentication 2OracleEBusinessSuitevulnerabilities 8vulnerabilities,SQLinjection,XSS,information disclosure,etc. 11vulnerabilities,SQLinjection,XSS,information disclosure,etc. Defaultconfigurationissues SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Bufferoverflows Listenerinformationleakage 10SQLinjectionvulnerabilities BufferoverflowinFNDWRR.exe MultiplevulnerabilitiesinAOL/JSetupTest Obtainsensitiveinformation(validsession) NoauthenticationinFNDFSprogram RetrieveanyfilefromO/S

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    WhydoSecurityduringtheupgrade?
    1

    TechnologyStackUpgrades
    Newversion=newsecurityfeatures Resetofsecuritypatching shouldbecurrentatgolive

    Functional,Technical,&StressTesting
    Functionalapplicationtesting Performanceandstresstesting

    ModificationstoCustomizations
    Someormanycustomizationsmustbeupgraded Idealtimetoreviewdevelopmentstandards

    TraditionalR12UpgradeProject

    Evaluate

    Plan

    Test

    Upgrade

    Post Upgrade

    Security Security Security Security Security

    SecurityAwareR12UpgradeProject
    Goal:Highsecurityvalue,lowprojecteffort,majortestingrequired,lowprojectrisk Post Upgrade
    Implement securityprocess improvements Postupgrade securityreview

    Evaluate
    Securityand compliancegapanalysis Reviewnewapplication andtechnologystack securityfeatures

    Plan

    Test
    Functionaland technicaltestnew securityfeatures Performancetest auditing enhancements

    Upgrade

    Improvesecurityand complianceprocesses Developnewsecurity features Customizationsecurity reviews

    Implementnewsecurity features Latestsecuritypatches Upgradehardeningtask Securityscan

    ExampleUpgradeSecurityEnhancements
    Security Enhancement Security Value High High High High Medium Medium Medium Low Project Effort Medium Low Low Low Low Medium Low High Testing Required High Medium High Medium Medium Medium Low High Project Risk Medium Low Medium Low Low Low Low High

    RestrictedDatabaseAccess Auditing Encryption SecurityPatches SecurityHardening DatabaseAccessControls DataScrambling SingleSignon

    R12UpgradeImpactedSecurityProcesses
    OracleApplicationsTechnicalComponents OracleApplications Database ApplicationServer OperatingSystem

    1.1UserManagement

    1. AccountSecurity
    1.2SegregationofDuties 2.1DataManagement andPrivacy 3.1ApplicationAuditing

    1.3DatabaseSecurity

    1.4NetworkandWeb

    1.5OSSecurity

    2.DataSecurity OperationalProcesses 3.Auditing 4.Monitoringand Troubleshooting

    2.2DatabaseAccess andPrivileges 3.2DatabaseAuditing

    2.3WebAccess

    2.4FilePermissions

    3.3WebLogging

    3.4OSAuditing

    4.1Application

    4.2Database

    4.3WebandForms

    4.4OperatingSystem

    5.1ObjectMigrations

    5.3ChangeControl 5.5ChangeControl 5.6ChangeControl 5.4Database Configuration 6.2DatabasePatches 6.3ApplicationServer Patches 7.3Web 7.4WebServicesandSOA 6.4OSPatches

    5.Change Management

    5.2Application Configuration 6.1ApplicationPatches

    6.Patching 7.Development

    7.1Application

    7.2Database

    7.5ShellandFileTransfer

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    11i/R12ArchitectureDifferences
    OracleEBS11.5.10.2
    ApplicationServer

    OracleEBS12.1.3
    ApplicationServer

    circa 1999
    JServ

    Replaces JServ Apache 1.3.34


    OC4J
    JSP WebListener BC4J UIX Reports Forms

    Apache 1.3.19
    WebListener

    JSP BC4J modplsql Reports Forms

    Removed inR12

    (currentis 1.3.42or 2.2.17)

    8.0.6.3 Oracle Home

    Oracle9iAS1.0.2.2.2 Version Desupported ~2005

    AppServer Upgradable

    OracleAS10g10.1.2/10.1.3

    11i/R12ArchitectureDifferences
    OracleDatabaseUpgrade
    9.2/10.2replacedwith11.2 11.2hasTDEtablespace encryption

    OracleJinitiator >SunJRE
    Improvedsupportandstandardization

    mod_plsql retired
    Significantsecurityvulnerabilitieshistorically AlloweddirectexecutionofPL/SQLpackagesindatabase

    FormsServer>FormsListenerServlet
    AllnetworktrafficthroughApacheserver nostandaloneport

    OracleReports>XMLPublisher
    Improvedsecuritymodelandfeatures

    CriticalPatchUpdates
    R12CriticalPatchUpdatesarecumulative
    11iintroducedcumulativepatcheswithJanuary2010CPU
    DatabaseVersion UpgradePatch 10.2.0.4 11.1.0.6 11.1.0.7 11.2.0.1 11.2.0.2 Included CPU April2008 October2007 January2009 January2010 January2011 EBSVersion 12.0.6 12.1.1 12.1.2 12.1.3 Included CPU October2008 April2009 October2009 January2011*

    *EstimatedbyIntegrigy

    R12ApplicationUsersAdded
    Newapplicationaccountsfrom12.0.0onward
    INDUSTRYDATA ORACLE12.0.0 ORACLE12.1.0 ORACLE12.2.0 ORACLE12.3.0 ORACLE12.4.0 ORACLE12.5.0 ORACLE12.6.0 ORACLE12.7.0 ORACLE12.8.0 ORACLE12.9.0

    Allareactiveaccounts with invalid passwords

    DatabaseAccountsAdded
    Anewdatabaseaccountisaddedforeach newproductmodule
    Databaseaccountsactivewithdefaultpassword Partiallistofnewmoduledatabaseaccounts:

    CA,DDR,DNA,DPP,FTP,GMO, IBW,INL,IPM,ITA,JMF,MTH, PFT,QPR,RRS,

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    ProtectingDatabaseAccounts
    UseAFPASSWDratherthanFNDCPASS
    LockProductsSchemaAccounts
    > AFPASSWDLTRUE

    Improvedseparationofduties Fewererrorschangingpasswordwithpasswordconfirmation entry SeeR12SAG Configuration

    Oracle11gcasesensitivepasswords(12.1only)
    SEC_CASE_SENSITIVE_LOGON=TRUE APPLSYSPUBmustalwaysbeuppercase

    ChangetheAPPLSYSPUBpassword
    FinallyworksinR12andsupportedbyOracle AlsomakesurethepasswordischangedinAutoConfig

    WebServerTrafficEncryption(SSL)
    ImprovedSSLsupport
    Changedfrommod_ssl >mod_ossl UsesOracleWalletforstoringcertificates OnlystrongciphersenabledandSSLv2disabled

    ProvidesAutoConfig supportforsecuringthe majorcommunicationrouteswithSSL. SeeMetalinkNoteID376700.1

    AdvancedConfigurationWizards
    NewAdvancedConfigurationWizardsfor complexsetupsofadvancedconfigurations
    AvailablethroughOAM DNSloadbalancing HTTPloadbalancing SSLsetuponwebserver SSLAcceleratorsetup

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    OracleConnectionManager
    OracleConnectionManagerSupported
    Advancedsecuritytorestrictdatabaseconnections LikeManagedSQL*NetAccess,butonsteroids SeeMetalinkNoteID558959.1

    RBACandUserManagement
    RoleBasedAccessControl(RBAC)
    RBACisanANSIstandardforaccesscontrol Allowsforresponsibilitiestobeassignedthroughroles RoleInheritanceandRoleCategories SeeMetalinkNoteID290525.1

    OracleUserManagement(UMX)
    Newuserregistration EnhancedForgetUsername/PasswordFunctionality Newsecuritywizards

    ProxyUser
    ProxyUserallowsausertospecifyaproxy whocanactontheirbehalf.
    Forexample,anexecutivecandesignatean assistantasaproxy,allowingthatassistantto Create,editorapprovetransactionsonbehalfof thatexecutive

    Generally,avoiduseduetoauditingissues Canbeusedtosolvetheconcurrentrequest schedulingproblem

    PCIPADSS
    OraclePADSSConsolidatedPatchfor12.1
    ReducescomplexityofPCIDSScompliance Fixesmultiplefunctionalweaknesseswhenprocessing andviewingcreditcarddata Doesnoteliminatesignificantmanualconfigurationfor PCIDSS Only12.1isPADSScompliant SeeMetalinkNoteID984283.1

    11iand12.0willnotbePADSScompliant
    SeeMetalinkNoteID1101213.1

    R12UpgradeSecurityRecommendations
    Includesecuritytasksthroughouttheupgradeproject
    Implementhighvalue,loweffortsecurityimprovementsand enhancements Leveragethefreetestingcycles

    AdheretotheOracleBestPracticesforOracleEBSsecurity
    SeeMetalinkNoteID403537.1 WrittenbyIntegrigy Oraclehasnotupdatedsince2007

    Validatethesecurityconfigurationpostupgrade
    Performapostupgradesecurityscanorreview Validatecomplianceagainstsecuritybestpractices OracleEBusinessSuiteiscomplexandthedevilisinthe details

    Agenda
    ImprovingSecurity duringtheUpgrade R12Security Enhancements

    Q&A

    2
    11iandR12 Differences

    R12New SecurityFeatures

    UpcomingIntegrigyEvents
    Webinar:ProtectingYouSensitiveData
    Wednesday,March16,2pmEDT

    COLLABORATE11 OAUGandIOUG
    ProtectingSensitiveDataintheOracleEBusinessSuite SecuringtheOracleEBusinessSuiteBestPracticesPanel SecurityBootcamp:ReallifeDatabaseSecurityMistakes CreditCardsandOracle:HowtoComplywithPCIDSS ReallifeEBusinessSuiteSecurityMistakes

    IntegrigyContactInformation
    StephenKost ChiefTechnologyOfficer IntegrigyCorporation

    email:info@integrigy.com blog:integrigy.com/oraclesecurityblog

    Forinformationon

    OracleDatabaseSecurity OracleEBusinessSuiteSecurity OracleCriticalPatchUpdates OracleSecurityBlog

    www.integrigy.com

    Copyright2011IntegrigyCorporation.Allrightsreserved.

    Vous aimerez peut-être aussi