Copyright 2012, Oracle and/or its affiliates. All rights reserved.
|
|
- Jasper Chambers
- 6 years ago
- Views:
Transcription
1 1
2 The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance Eric Bing, Erik Graversen Applications Product Security 2
3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 3 Copyright 3 Copyright 2012, Oracle 2012, Oracle and/or and/or its affiliates. its affiliates. All rights All reserved. rights reserved.
4 Agenda Deployment and Configuration Secure Configuration Scripts Top 10: 1-5 Top 10: 6-10 Top 10: Bonus Credit Card Encryption E-Business Suite template for Data Masking Pack 4
5 Deployment and Configuration 5
6 Secure E-Business Suite Deployment General EBS advice Stay current with patching Apply Critical Patch Updates (CPUs) + Security Alerts Patch Setup Update (PSUs) are an option for techstack Apply most recent maintenance pack (yes, security improves as well) Follow our recommendations for secure deployment Secure Configuration Guide for Oracle E-Business Suite Oracle E-Business Suite Configuration in a DMZ Note: Follow this if deploying any parts of EBS to the Internet 6
7 E-Business Suite Secure Configuration Guides (previously known as Best Practice documents) Release 11i, MOS Note Release 12, MOS Note
8 E-Business Suite Secure Configuration Guides Advice for security-related switches to set/verify Many recommendations automated via AutoConfig and Oracle Application Manager (OAM) Advice also provided for optional security related products (such as database options) Guidelines are based upon current patch levels and up and up and up Please raise an SR with support against the Guides if you feel there are problems or omissions with the advice 8
9 Secure Configuration Scripts Current State vs Recommendations ERRORS Likely vulnerable to issues WARNINGS Likely violating Secure Config Guidelines Run anywhere Scripts attempt to identify code level when required Any supported version of EBS Any supported version of the DB 9
10 Secure Config Scripts Packaged as SQL and Shell scripts EBSSecConfigChecks.sql runs all (12) other SQL scripts Compiles them into a single report Script comments often have hints for resolution EBSCheckModSecurity.sh shell script Ongoing Health Checks to ensure critical security functionality Run them early and often Once you have a baseline check for diffs Roadmap: Online Dashboard with alerts 10
11 Top Ten 11
12 What makes the Top 10 cut? Biggest bang for the buck Most common issues seen at customer sites Not as well known / new features Least effort Applicable to many releases Free 12
13 Top 10: Items Check Profile Settings 2. Change Default Passwords 3. Secure APPLSYSPUB 4. Activate Server Security 5. Implement IP address restrictions 13
14 1. Profile Settings Note Secure Configuration of E-Business Suite Profiles Check script - EBSCheckProfilesMissing.sql Reports on missing profiles Check script - EBSCheckProfileErrors.sql Reports on configuration errors Check script - EBSCheckProfileWarnings.sql Reports on configuration warnings 14
15 Missing Profiles Note Secure Configuration of E-Business Suite Profiles Check script - EBSCheckProfilesMissing.sql Server Security (discussed in detail later) FND_SERVER_SEC / FND_SERVER_IP_SEC missing: Patch# :R12.FND.A delivers these missing profiles for R Patch# :R12.FND.B delivers these missing profiles for R Attachments Secure Configuration (discussed later) FND_SECURITY_FILETYPE_RESTRICT_DFLT / FND_DISABLE_ANTISAMY_FILTER Introduced with January 2012 CPU 15
16 Profiles Configuration Errors Note Secure Configuration of E-Business Suite Profiles Check settings of critical profile options FND Validation Level Error FND Function Validation Level Error Framework Validation Level Error Restrict Text Input Y Attachments Secure Configuration (discussed later) Validation Level Profiles will be removed in
17 Profiles Configuration Warnings Note Secure Configuration of E-Business Suite Profiles Check settings of profile warnings FND Diagnostics No Utilities Diagnostics No Personalize Self-service Defn No Attachments Secure Configuration (discussed later) 17
18 2. Default Passwords E-Business Suite User Passwords Check script - EBSCheckUserPasswords.sql Checks EBS User passwords for default passwords Secure seeded application accounts, end date, and change password See the Secure Configuration Guide Oracle E-Business Suite Security / Authentication 18
19 2. Default Passwords Database Passwords Check script - EBSCheckDBPasswords.sql Checks User and DB passwords select * from dba_users_with_defpwd (11g only) Fix using: AFPASSWD / FNDCPASS APPS controlled accounts Password / alter user - for non-apps controlled accounts The Secure Configuration Guide Appendix C lists each user and provides advice 19
20 3. Secure APPLSYSPUB Change password Only in R12 Must run AutoConfig to populate the change to configuration files APPLSYSPUB password must always be uppercase (even if Case Sensitive Passwords have been turned on) 20
21 3. Secure APPLSYSPUB SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB Check script - EBSCheckApplsyspubPrivs.sql Check privileges Fix privs: Run $FND_TOP/patch/115/sql/afpubfix.sql 21
22 4. Activate Server Security Secure Config Guide - ACTIVATE SERVER SECURITY Check script - EBSCheckServerSecurity.sql select 'Server Security is on from FND_NODES where server_address = '*' and server_id='secure' Switch Server Security to SECURE mode System Administrators Guide, Administering Server Security 22
23 Server Security feature Sample DBC file created by AdminAppServer or AdminDesktop GWYUID=APPLSYSPUB/PUB GUEST_USER_PWD=GUEST/ORACLE FNDNAM=APPS APPL_SERVER_ID=AC70BE2E89CAC15F TWO_TASK=PROD DB_PORT=1521 DB_HOST=pdb1213.example.com (ADDRESS\= (PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC T_DATA\=(SERVICE_NAME\=PROD))) JDBC\:oracle.jdbc.maxCachedBufferSize=
24 Using AdminDesktop Use AdminDesktop to create DBC files for non-ebs nodes Non-EBS nodes are BPEL and WebService nodes Create the DBC file on an EBS AppTier node Create it to be IP Address specific Maintain mode 600 while creating and copying to the recipient node Documented in Note: "AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite". 24
25 5. Implement IP address restrictions : Using AutoConfig to Manage System Configurations Use a whitelist of IP addresses Profile: Allow Restricted (FND_SQLNET_ACCESS) Tells autoconfig to automate this when run on the DB server $TNS_ADMIN/sqlnet.ora: tcp.validnode_checking = YES tcp.invited_nodes = ( X.X.X.X, hostname,... ) 25
26 5. Implement IP address restrictions : Using AutoConfig to Manage System Configurations No automated check via scripts Manual check from a node not in white list Should get a hang up: bash$ telnet ebs.example.com 4443 Trying 115.X.X.X... Connected to ebs.example.com Escape character is '^] Connection closed by foreign host. 26
27 Top 10: Items Migrate to Password Hash 7. Enable Application Tier Secure Socket Layer (SSL) 8. Move Off of Client/Server Components 9. Secure Configuration of Attachments 10. Turn on ModSecurity 27
28 6. Migrate Oracle Applications User Passwords to Non-Reversible Hash Password MOS Note FNDCPASS Utility New Feature Check script - EBSCheckHashedPasswords.sql select 'Hashed passwords are not on' "Password Mode" from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null; Switch to hashed passwords for applications users Note FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1 Upgrade any desktop clients FNDPUB DLL/Libraries Discoverer, Configurator, Desktop ADI Or even better, replace these with their web variant 28
29 7. Enable SSL/TLS for web listener Note Enabling SSL for Oracle Applications Release 12 Check script - EBSCheckSSL.sql Checks via FND_WEB_CONFIG.PROTOCOL Enable SSL (https) for web listener Avoid weak ciphers and protocols (<128 bit & SSLv2) Using Telnet Mobile Web Apps? Mechanism for securing MWA Telnet communication via Stunnel (Note ) 29
30 8. Move off of client/server components End User PCs should not have a direct DB connection Switch to equivalent Web components when possible Desktop ADI -> Web ADI and Report Manager Put client/server components on a secured server (Note ) Windows Server Terminal Services Secure Global Desktop Users should not be able to access the DBC file directly 30
31 9. Secure Configuration of Attachments Check script Part of the profile checks File Upload Limits for Attachments Attachments file type validation Tag scanning of HTML Attachments 31
32 File Upload Limits for Attachments Note How to Limit The Attachment File Size? Allowing unlimited attachment sizes can allow for a Denial of Service attack (DOS) Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT) Limits the maximum Attachment file size that can be uploaded Specified in KB (e.g. 2000KB) 32
33 Attachments File Type Validation Note Security Configuration Mechanism in Attachments Delivered as part of January 2012 CPU Profile: Attachment File Upload Restriction Default Yes (default): Blacklist behavior Disallow types marked as N No (recommended): Whitelist behavior Only allow types marked as Y Attachments file type validation New column - FND_MIME_TYPES. ALLOW_FILE_UPLOAD values N & Y Configured by default as a black list 33
34 Tag scanning of HTML Attachments Note Security Configuration Mechanism in Attachments Delivered as part of January 2012 CPU Tag scanning of HTML Attachments OWASP Antisamy allows a specific (white list) of HTML tags Profile: FND: Disable Antisamy Filter False (default / recommended) sanitize HTML pages The document you uploaded has been modified to remove restricted tags. Please check the document and replace it if necessary. 34
35 Tag scanning of HTML Attachments Note Security Configuration Mechanism in Attachments Warning: Antisamy scan requires the character set to be known: Can cause character set issues for binary attachments Fix (patch ) will use meta tag or FND_NATIVE_CLIENT_ENCODING Need to take this patch up if you see character set issues in binary attachments 35
36 10. Ensure ModSecurity is on Check script - EBSCheckModSecurity.sh Usage: EBSCheckModSecurity.sh Shell script not included in EBSSecConfigChecks.sql ModSecurity - Web Application Firewall apache module Part of ias and OHS Automatically configured ModSecurity blocks bad requests (black list) can also white list Null bytes, directory crawling, URL encoding, UTF-8 encoding Stops obviously bad requests early 36
37 Top 10: Bonus 11. Encrypt Credit Card Data 12. Separation of Duties: Review Access To Sensitive Administrative Pages 37
38 11. Credit Card Encryption Check script - EBSCheckCCEncryption.sql 1. Checks whether credit cards are encrypted in Immediate mode Info on encryption - Payments User Implementation guide. For more info on PA-DSS compliance - Note
39 11. Credit Card Encryption New features Check script - EBSCheckCCEncryption.sql 2. Checks Supplemental Credit Card Data Encryption Encrypts expiration date and card holder name MOS Note 'Payments Release Notes' 3. Enhanced Hashing Defends against brute forcing of hashes Concurrent program to rehash Patch :R12.IBY.B 39
40 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Security Administrator Control of access to pages and profiles Administrator / Developer Functionality Pages / profiles which allow for Application Development at Runtime SQL fragments, HTML fragments, OS commands Should be disabled, controlled, and audited in production environments Flexfield definitions Forms and Framework personalization Designed-in SQL injections or XSS injections 40
41 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Identifies new categories of sensitive functionality: Oracle Forms-based Forms Controlled by Function Security (~40) HTML Pages Controlled by Function Security (~25) Pages and Forms Controlled by Profile Options (3) Pages Controlled by JTF Roles and Permissions (3) 41
42 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Check Script: EBSCheckSensitivePageAccess.sql Not called by default from EBSSecConfigChecks.sql SQL scripts drive off of page and form names (not functions) Slower, but ensures we pick up custom functions that include these Reduce and eliminate access to these pages by admins in production Use Fine Grained Auditing to audit the tables associated with these pages 43
43 E-Business Suite template for Data Masking Pack 44
44 What is Data Masking? Production LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 What The act of anonymizing customer, financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format Why To protect confidential data in nonproduction environments when the data is shared with non-production users without revealing sensitive information 45
45 Oracle E-Business Suite Data Masking Note Using Oracle EBS Template for the Data Masking Pack Oracle E-Business Suite Template for Data Masking Metadata for the Oracle Data Masking Pack Documentation and scripts for the process Replaces EBS Application Management Pack Data Scrambling Masking template is superset of shipped Data Scrambling AMP Data Scrambling still supported No direct migration path planned 46
46 Versions & Licensing Note Using Oracle EBS Template for the Data Masking Pack Included with license for Oracle Data Masking Pack Initial release (May 29 th, 2012) for: E-Business Suite Enterprise Manager 11g ( PSU5) Plus additional EM patch (Patch ) All DB versions E-Business Suite is certified on 47
47 Goals in Application Masking Note Using Oracle EBS Template for the Data Masking Pack De-Identify the data Scramble identifiers of individuals (PII) Name, account, address, location, drivers license Mask sensitive data Mask the data that, if associated with PII, would cause privacy concerns Compensation, Health, Employment Information Maintain Data Validity Don t break the application (when possible ) 48
48 Product Coverage of E-Business Suite Note Using Oracle EBS Template for the Data Masking Pack Around 1000 Columns Includes localizations Impact (based on columns and bugs logged): 60% HCM - Payroll, Employment Details, Personal Info, Localization columns 15% ATG FND users, roles, workflow 10% CRM /TCA Parties data 15% Financials, Lease, Projects, SCM 49
49 Futures Enterprise Manager 12c certification E-Business Suite 12.2 certification EMCLI support Pluggable formats Subsetting of the masks by attribute 52
50 Masking References Note Using Oracle EBS Template for the Data Masking Pack Steven Chan s Blog ATG Live presentation walk through the MOS Note Masking demo Available at the demo grounds 53
51 Secure Configuration References Note Secure Configuration Guide for EBS Release 11i Note Secure Configuration Guide for EBS Release 12 Appendix G: Contains Check Scripts Appendix H: Contains pointers to all the Notes discussed Credit card protection: Supplemental Credit Card Data Encryption MOS Note 'Payments Release Notes' Enhanced Hashing Patch :R12.IBY.B 54
52 Q&A 55
53 56
The 10 Principles of Security in Modern Cloud Applications
The 10 Principles of Security in Modern Cloud Applications Nigel King, Vice President, Oracle In-Depth Seminars D11 1 Safe Harbor Statement The following is intended to outline our general product direction.
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationGoing Without CPU Patches on Oracle E-Business Suite 11i?
Going Without CPU Patches on E-Business Suite 11i? September 17, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About
More informationNew Security Features in Oracle E-Business Suite 12.2
New Security Features in Oracle E-Business Suite 12.2 Session ID#: 14365 Stephen Kost Chief Technology Officer Integrigy Corporation REMINDER Check in on the COLLABORATE mobile app About Integrigy ERP
More informationR12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID )
R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID 457166.1) In this Document Goal Using AFPASSWD to Migrate to a Password Hashing Scheme Solution Client Prerequisites: Known
More informationOracle Database Vault and Applications Unlimited Certification Overview
Oracle Database Vault and Applications Unlimited Certification Overview Kamal Tbeileh, Principal Product Manager, Database Vault Oracle Corporation The following is intended to outline
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12
1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 Managing Oracle Database 12c with Oracle Enterprise Manager 12c Martin
More informationOracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017
Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E87635-01 November 2017 Copyright 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation
More informationDatabase Centric Information Security. Speaker Name / Title
Database Centric Information Security Speaker Name / Title The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated
More informationLaserfiche Rio 10.3: Deployment Guide. White Paper
Laserfiche Rio 10.3: Deployment Guide White Paper January 2018 Table of Contents How Laserfiche Licensing Works... 4 Types of Licenses... 4 Named User Licenses... 4 WebLink Public Portal Licenses... 6
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationWebLogic Security Top Ten
WebLogic Security Top Ten June 2014 Michael Miller Chief Security Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Stephen Kost Chief Technology Officer
More informationPeopleSoft - Top 10 Security Risks
PeopleSoft - Top 10 Security Risks December 6, 2018 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationNew Oracle EBS Security Features You Can Use Now
New Oracle EBS Security Features You Can Use Now November 7, 2018 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy
More informationSecurity Improvements on Cast Iron
IBM Software Group Security Improvements on Cast Iron 7.0.0.2 Subhashini Yegappan, Software Support Engineer (syegapp@us.ibm.com) Raja Sreenivasan, Advisory Software Engineer (rsreeniv@in.ibm.com) 31-Mar-2015
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationOracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016
Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E69079-01 June 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationOracle E-Business Suite Certified with Oracle Database Vault Certification Overview
Oracle E-Business Suite Certified with Oracle Database Vault Certification Overview Kamal Tbeileh, Principal Product Manager, Database Vault E-Business Certification Announcement
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.
1 Copyright 2011, Oracle and/or its affiliates. All rights Web Services and SOA Integration Options for Oracle E-Business Suite Rajesh Ghosh, Group Manager, Applications Technology Group Abhishek Verma,
More informationSecuring ArcGIS for Server. David Cordes, Raj Padmanabhan
Securing ArcGIS for Server David Cordes, Raj Padmanabhan Agenda Security in the context of ArcGIS for Server User and Role Considerations Identity Stores Authentication Securing web services Protecting
More informationManaging Oracle Database 12c with Oracle Enterprise Manager 12c
Managing Oracle Database 12c with Oracle Enterprise Manager 12c The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated
More informationwith Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle
Data Privacy Enhanced Database Security with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle Security Levels for SLAs Preventive Controls Detective Controls Corrective
More information<Insert Picture Here> Oracle Database Security
Oracle Database Security Ursula Koski Senior Principal Architect ursula.koski@oracle.com Ursula Koski Senior Principal Architect Senior Principal Architect Oracle User Group Liaison
More informationOracle Communications Services Gatekeeper
Oracle Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 June 2013 Oracle Communications Services Gatekeeper Security Guide, Release 5.1 E36134-01 Copyright 2011, 2013, Oracle and/or
More informationOracle Critical Patch Updates: Insight and Understanding. Stephen Kost Integrigy Corporation
Oracle Critical Patch Updates: Insight and Understanding Stephen Kost Integrigy Corporation Introduction Stephen Kost Chief Technology Officer of Integrigy Corporation 11 years experience with Oracle Applications
More informationOracle Database 11g: Security Release 2
Oracle University Contact Us: 001-855-844-3881 & 001-800-514-06-97 Oracle Database 11g: Security Release 2 Duration: 5 Days What you will learn In this course, you'll learn how to use Oracle Database features
More informationOracle Solaris 10 Recommended Patching Strategy
1 Oracle Solaris 10 Recommended Patching Strategy Gerry Haskins, Director, Software Patch Services Oracle Solaris Systems 11 th January 2011 The following is intended to outline our
More informationOracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E
Oracle Hospitality OPERA Property Management Security Guide Versions: 5.0.05.00 Part Number: E67891-01 May 2016 Copyright 2015, Oracle and/or its affiliates. All rights reserved. This software and related
More information<Insert Picture Here> The Latest E-Business Suite R12.x OA Framework Rich User Interface Enhancements
1 The Latest E-Business Suite R12.x OA Framework Rich User Interface Enhancements Padmaprabodh Ambale, Gustavo Jimenez Applications Technology Group The following is intended to outline
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationMySQL Enterprise Security
MySQL Enterprise Security Mike Frank Product Management Director Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only,
More informationOracle Database 11g: Security Release 2
Oracle University Contact Us: + 38516306373 Oracle Database 11g: Security Release 2 Duration: 5 Days What you will learn In this course, students learn how they can use Oracle Database features to meet
More information<Insert Picture Here> E-Business Suite Technology Stack Certification Roadmap
E-Business Suite Technology Stack Certification Roadmap Steven Chan Senior Director, Applications Technology Integration Topics E-Business Suite 12.1.1 Techstack Support Policy Updates
More informationMoving Databases to Oracle Cloud: Performance Best Practices
Moving Databases to Oracle Cloud: Performance Best Practices Kurt Engeleiter Product Manager Oracle Safe Harbor Statement The following is intended to outline our general product direction. It is intended
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.
1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Subsetting and Masking: Advanced Techniques for Test Management Jagan R. Athreya, Director, base and Exadata Manageability Derek Messie,
More informationmission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact
mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More informationMcAfee Database Security
McAfee Database Security Sagena Security Day 6 September 2012 September 20, 2012 Franz Hüll Senior Security Consultant Agenda Overview database security DB security from McAfee (Sentrigo) VMD McAfee Vulnerability
More informationTIPS AND TRICKS. Johan Olivier SECURITY
TIPS AND TRICKS Johan Olivier SECURITY Desktop JRE versions - Back office application Integrator 3 (FMW Forms 11GR2) JRE 1.6 and 1.7 Upgrade to JRE 1.8 The server must be on Java patch level 1.7 Integrator
More informationOracle Enterprise Manager 12c IBM DB2 Database Plug-in
Oracle Enterprise Manager 12c IBM DB2 Database Plug-in May 2015 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and
More informationHacking an Oracle Database and How to Prevent It
Hacking an Oracle Database and How to Prevent It February 12, 2019 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About
More informationebusiness Suite goes SOA
ebusiness Suite goes SOA Ulrich Janke Oracle Consulting Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.
1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Re-Engineering Your Database Design with Oracle SQL Developer Data Modeler Swarnapriya Shridhar Curriculum IDC Operations Manager 2
More informationSecurity Compliance and Data Governance: Dual problems, single solution CON8015
Security Compliance and Data Governance: Dual problems, single solution CON8015 David Wolf Director of Product Management Oracle Development, Enterprise Manager Steve Ries Senior Systems Architect Technology
More informationAre You Avoiding These Top 10 File Transfer Risks?
Are You Avoiding These Top 10 File Transfer Risks? 1. 2. 3. 4. Today s Agenda Introduction 10 Common File Transfer Risks Brief GoAnywhere MFT Overview Question & Answer HelpSystems Corporate Overview.
More informationEnterprise Manager Cloud Control 12c Release 4 ( )
Enterprise Manager Cloud Control 12c Release 4 (12.1.0.4) Covers: a) Install b) Upgrade c) Agent Deployment d) Plug-in Deployment e) OMS Patching - Akanksha Sheoran Kaler Safe Harbor Statement The following
More informationSage 500 ERP Installation and System Configuration Guide. Thursday, January 26, 2017
Sage 500 ERP 2017 Installation and System Configuration Guide Thursday, January 26, 2017 2017 The Sage Group plc or its licensors. All rights reserved. Sage, Sage logos, and Sage product and service names
More informationOracle Data Masking and Subsetting
Oracle Data Masking and Subsetting Frequently Asked Questions (FAQ) S E P T E M B E R 2 0 1 6 Product Overview Q: What is Data Masking and Subsetting? A: Data Masking or Static Data Masking is the process
More informationOracle Corporation Version 1.1.1
Secure Configuration Guide for Oracle E-Business Suite Release 12 Oracle Corporation Version 1.1.1 Latest version of this document available under MOS Note 403537.1. Revision History Version Release Date
More informationOracle Application Express 5 New Features
Oracle Application Express 5 New Features 20th HrOUG conference October 16, 2015 Vladislav Uvarov Software Development Manager Database Server Technologies Division Copyright 2015, Oracle and/or its affiliates.
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationInterCall Virtual Environments and Webcasting
InterCall Virtual Environments and Webcasting Security, High Availability and Scalability Overview 1. Security 1.1. Policy and Procedures The InterCall VE ( Virtual Environments ) and Webcast Event IT
More informationOracle Enterprise Manager 12c Sybase ASE Database Plug-in
Oracle Enterprise Manager 12c Sybase ASE Database Plug-in May 2015 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only,
More information<Insert Picture Here> The Oracle Fusion Development Platform: Oracle JDeveloper and Oracle ADF Overview
1 1 The Oracle Fusion Development Platform: Oracle JDeveloper and Oracle ADF Overview Dana Singleterry Principal Product Manager Oracle JDeveloper and Oracle ADF http://blogs.oracle.com/dana
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationOracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E
Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E68585-02 May 2018 Copyright 2010, 2018, Oracle and/or its affiliates. All rights reserved. This software and related
More informationSecuring Apache Tomcat. AppSec DC November The OWASP Foundation
Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted
More informationOracle Database Cloud for Oracle DBAs Ed 3
Oracle University Contact Us: 800-260-690 Oracle Database Cloud for Oracle DBAs Ed 3 Duration: 3 Days What you will learn Note: No hands-on lab environment for the Training On Demand course format This
More informationOracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E
Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E96343-01 May 2018 Copyright 2010, 2018, Oracle and/or its affiliates. All rights reserved. This software and related documentation
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. reserved. Insert Information Protection Policy Classification from Slide 8
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material,
More information<Insert Picture Here> Oracle Workflow: Oracle E-Business Suite R12 Updates
Oracle Workflow: Oracle E-Business Suite R12 Updates Kevin Hudson Senior Director, Application Technology Robert Wunderlich Development Manager, Application Technology Oracle Workflow:
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationSecurity Enhancements in Informatica 9.6.x
Security Enhancements in Informatica 9.6.x 1993-2016 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationOracle Database Logging and Auditing
Oracle Database Logging and Auditing January 15, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationProject and Portfolio Management Center
Project and Portfolio Management Center Software Version: 9.42 Security Guide Go to HELP CENTER ONLINE http://admhelp.microfocus.com/ppm/ Document Release Date: September 2017 Software Release Date: September
More informationOracle E-Business Suite and Java Security What You Need to Know
Oracle E-Business Suite and Java Security What You Need to Know March 26, 2019 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation
More informationXerox Audio Documents App
Xerox Audio Documents App Additional information, if needed, on one or more lines Month 00, 0000 Information Assurance Disclosure 2018 Xerox Corporation. All rights reserved. Xerox, Xerox,
More informationSQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationIBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM
IBM BigFix Compliance PCI Add-on Version 9.5 Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM IBM BigFix Compliance PCI Add-on Version 9.5 Payment Card Industry Data Security Standard
More informationForeScout Extended Module for IBM BigFix
ForeScout Extended Module for IBM BigFix Version 1.0.0 Table of Contents About this Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 Concepts, Components, Considerations...
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 156-210 Title : Check Point CCSA NG Vendors : CheckPoint Version : DEMO
More informationOracle Fusion Middleware
Oracle Fusion Middleware Administering Web Services 12c (12.1.2) E28131-01 June 2013 Documentation for developers and administrators that describes how to administer Web services. Oracle Fusion Middleware
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationHPE Project and Portfolio Management Center
HPE Project and Portfolio Management Center Software Version: 9.41 Security Guide Go to HELP CENTER ONLINE http://ppm-help.saas.hpe.com Document Release Date: March 2017 Software Release Date: March 2017
More informationNETWRIX GROUP POLICY CHANGE REPORTER
NETWRIX GROUP POLICY CHANGE REPORTER ADMINISTRATOR S GUIDE Product Version: 7.2 November 2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute
More informationSafe Harbor Statement
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment
More informationHow to Troubleshoot Databases and Exadata Using Oracle Log Analytics
How to Troubleshoot Databases and Exadata Using Oracle Log Analytics Nima Haddadkaveh Director, Product Management Oracle Management Cloud October, 2018 Copyright 2018, Oracle and/or its affiliates. All
More informationDreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com
DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com By Bill Appleton, CTO, DreamFactory Software billappleton@dreamfactory.com Introduction DreamFactory
More informationReady Theatre Systems RTS POS
Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2
More informationSecure Coding, some simple steps help. OWASP EU Tour 2013
Secure Coding, some simple steps help. OWASP EU Tour 2013 About Me Steven van der Baan - Dutch - 7Safe, part of PA Consulting Group - Developer - Pentester - Consultant - CISSP, OSCP It's amazing how
More informationSecurity Best Practices. For DNN Websites
Security Best Practices For DNN Websites Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com
More informationOracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero
Oracle Security Products and Their Relationship to EBS Presented By: Christopher Carriero 1 Agenda Confidential Data in Corporate Systems Sensitive Data in the Oracle EBS What Are the Oracle Security Products
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationEnterprise Manager: Scalable Oracle Management
Session id:xxxxx Enterprise Manager: Scalable Oracle John Kennedy System Products, Server Technologies, Oracle Corporation Enterprise Manager 10G Database Oracle World 2003 Agenda Enterprise Manager 10G
More informationDocument Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 5, 2018. Replaces all prior versions. These Additional Terms govern your use of Document Cloud (including Adobe Sign) and
More informationEXAMGOOD QUESTION & ANSWER. Accurate study guides High passing rate! Exam Good provides update free of charge in one year!
EXAMGOOD QUESTION & ANSWER Exam Good provides update free of charge in one year! Accurate study guides High passing rate! http://www.examgood.com Exam : 70-298 Title : Designing Security for a MS Windows
More informationMicrosoft Exam
Volume: 59 Questions Question: 1 Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2016. You create
More information<Insert Picture Here> Configuration Manager Installation Process
Configuration Manager Installation Process Agenda Collector and Configuration Manager Unzipping the distribution file Creation of the CCR directory Running Setup Installation, License,
More informationME?
ME? VULNEX: Blog: Twitter: www.vulnex.com www.simonroses.com @simonroses TALK OBJECTIVES Apps are the new Web Peek into current state of Apps security on Markets Bugs will be revealed but not the victims
More informationAn Oracle Technical White Paper September Oracle VM Templates for PeopleSoft
An Oracle Technical White Paper September 2010 Oracle VM Templates for PeopleSoft 1 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes
More information