Oracle E-Business Suite Security – Myths and Realities
By Stella Joyce Bulu, AppsTech Apps DBA
There are so many misconceptions about securing Oracle E-Business Suite applications that most Apps DBAs call Myths. Fortunately versus these myths are realities that show that security in your Oracle E-Business is more than just installing an antivirus on the system or attributing passwords. Security comes at different levels and in different forms, from data loss or theft to fraud passing by misusing system privileges are all security threats and risks for the application.
I’ll list a few myths and realities seen and faced by lots of users of the Oracle E-Business suite including me. After researching and documenting, the following could be counted:
Myth n°1: Oracle E-Business Suite is secure out of the box.
The reality is Oracle E-Business Suite requires significant effort to make it secure and compliant.
For R12 security at a minimum, you can check the My Oracle Support Notes 403537.1, 380490.1, and 376700.1.
It comes with defaults passwords for its up to 300 database accounts. To change the default password, the system administrator, must login to system profile options and change the application password settings. Sign-on Password settings must be changed to meet organization’s password policy.
- Oracle EBS Password Decryption
The Oracle EBS end-user application passwords are stored encrypted, and not hashed.
The Account passwords are all stored in FND_USER table and procedures to decrypt passwords are well documented of which most can be found published on the Internet.
You could also hash the passwords securely, but this is optional and must be enabled by the DBA because it is not enabled by default even in R12.
Myth n°2: Thinking that the Oracle EBS is secure if you implement most items in the Secure Configuration Guide.
But the reality is all items in the Secure Configuration Guide are base minimum and additional steps are required.
Some Significant Security Risks and Threats can be seen at different levels of the application. Let me name just a few examples:
1. Sensitive data loss (data theft)
- Bulk download via direct access
- Bulk download via indirect access
Both threaten the DB password, Direct access, external application, patch policy and change control.
3. Misuse of application
- Bypass intended app controls
- Access another user’s privileges
They threaten the Application Password, Application security design, external application, patch policy, audit and pass control.
And to add to the few above the Top 10 Security Vulnerabilities are
- Default Database Passwords
- Default Application Passwords
- Direct Database Access
- Poor Application Security Design
- External Application Access Configuration
- Poor Patching Policies and Procedures
- Access to SQL Forms in Application
- Weak Change Control Procedures
- No Database or Application Auditing
- Weak Application Password Controls
Myth n°3: We enforced our Oracle EBS at go-live – we are secure today
Reality is: Oracle EBS security decays over time and steps must be taken routinely to validate the security
During an upgrade of your application, database accounts can be added:
- A new database account is added for each new product module during an upgrade
- The default password for each new account is the username
These modifications need to be secured so the application does not lose its integrity.
Myth n°4: Thinking that the IT Security team and the DBAs are protecting Oracle EBS
The Reality is: Securing Oracle EBS is hard and requires a focused effort from a multidisciplinary team.
The Oracle DBAs, Oracle project team, IT Security, and Internal Audit must all work together to make Oracle EBS secure and compliant
a) Ensure the application is securely configured
Work with DBAs to understand what has been done and not done
b) Understand how data is accessed and protected
Learn what sensitive data is in Oracle EBS, who accesses it, and what is done to protect it
c) Obsess over security of the external configuration
External access to the application should keep you up at night
Myth n°5: When installing or upgrading, the latest Oracle Critical Patch Updates (CPU) are already included
Reality is: For both the database and Oracle EBS, only the latest CPU at time of release is included. You always have to install the latest CPU when doing a fresh installation or upgrade to both the database and Oracle EBS, if not you compromise the integrity of your application.
Myth n°6: Oracle EBS Critical Patch Updates (CPU) don’t have to be installed if I don’t use all the modules
The Reality is: Since every module is installed and can be potentially accessed, every CPU must be installed.
Myth n°7: Our network security will protect Oracle EBS from web attacks when deployed externally. We have routers, firewalls, intrusion protection systems, web application firewalls, etc. in place to protect Oracle EBS
But the reality is: Network security layers are not aware or tuned for Oracle EBS Firewalls, intrusion protection systems, and web application firewalls have few if any rules or protection for Oracle EBS. Know that the rules, application profiles, and learning must be developed, tuned, and tested by you!
Now when you review most of this, I can tell you have now started securing your Oracle E-Business suite application. For assistance from AppsTech on Securing your Oracle E-Business Suite environment, contact us today