77848485 upgrade-security-in-your-r12-upgrade

  • View
    151

  • Download
    0

Embed Size (px)

DESCRIPTION

R1 security

Text of 77848485 upgrade-security-in-your-r12-upgrade

  • 1. missioncriticalapplicationsmissioncriticalsecurityUpgradeSecurityinYourOracleR12UpgradeStephenKostChiefTechnologyOfficerIntegrigyCorporationNCOAUGWinter2011February25,2011

2. IntegrigyOverview IntegrigyCorporationisaleaderinapplicationsecurityforenterprise missioncriticalapplications.AppSentry,ourapplicationanddatabase securityassessmenttool,assistscompaniesinsecuringtheirlargestand mostimportantapplicationsthroughdetailedsecurityauditsandactionable recommendations.IntegrigyConsultingofferscomprehensivesecurity assessmentservicesforleadingdatabasesandERPapplications,enabling companiestoleverageourindepthknowledgeofthissignificantthreatto businessoperations. CorporateDetails FoundedDecember2001 PrivatelyHeld BasedinChicago,Illinois 3. BackgroundSpeakerCompanyStephenKostIntegrigyCorporation CTOandFounder Integrigybridgesthegapbetween databasesandsecurity 16yearsworkingwithOracle SecurityDesignandAssessmentof 12yearsfocusedonOracle OracleDatabases security SecurityDesignandAssessmentof DBA,AppsDBA,technical theOracleEBusinesssuite architect,ITsecurity, AppSentry SecurityAssessment SoftwareTool 4. IntegrigySecurityAlerts SecurityAlertVersionsSecurityVulnerabilities Oracle11g2IssuesinOracleRDBMSAuthentication CriticalPatchUpdateJuly2008 11.5.8 12.0.x 2OracleEBusinessSuitevulnerabilities 12.0.x8vulnerabilities,SQLinjection,XSS,information CriticalPatchUpdateApril2008 11.5.7 11.5.10 disclosure,etc. 12.0.x11vulnerabilities,SQLinjection,XSS,information CriticalPatchUpdateJuly200711.5.1 11.5.10 disclosure,etc.11.5.1 11.5.10 CriticalPatchUpdateOctober200511.0.x Defaultconfigurationissues11.5.1 11.5.10 SQLinjectionvulnerabilities CriticalPatchUpdateJuly2005 11.0.xInformationdisclosure11.5.1 11.5.10 SQLinjectionvulnerabilities CriticalPatchUpdateApril200511.0.xInformationdisclosure11.5.1 11.5.10 CriticalPatchUpdateJan200511.0.x SQLinjectionvulnerabilities Bufferoverflows OracleSecurityAlert#68Oracle8i,9i,10g Listenerinformationleakage 11.5.1 11.5.8 OracleSecurityAlert#67 11.0.x 10SQLinjectionvulnerabilities 11.5.1 11.5.8 BufferoverflowinFNDWRR.exe OracleSecurityAlert#56 11.0.x MultiplevulnerabilitiesinAOL/JSetupTest OracleSecurityAlert#55 11.5.1 11.5.8 Obtainsensitiveinformation(validsession)10.7,11.0.x NoauthenticationinFNDFSprogram OracleSecurityAlert#53 11.5.1 11.5.8 RetrieveanyfilefromO/S 5. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 6. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 7. WhydoSecurityduringtheupgrade?1 TechnologyStackUpgrades Newversion=newsecurityfeatures Resetofsecuritypatching shouldbecurrentatgolive2 Functional,Technical,&StressTesting Functionalapplicationtesting Performanceandstresstesting3 ModificationstoCustomizations Someormanycustomizationsmustbeupgraded Idealtimetoreviewdevelopmentstandards 8. TraditionalR12UpgradeProjectPostEvaluate PlanTestUpgrade UpgradeSecurity Security Security Security Security 9. SecurityAwareR12UpgradeProjectGoal:Highsecurityvalue,lowprojecteffort,majortestingrequired,lowprojectrisk PostEvaluate Plan Test UpgradeUpgrade SecurityandFunctionaland Implement compliancegapanalysistechnicaltestnew securityprocess Reviewnewapplicationsecurityfeatures improvements andtechnologystackPerformancetest Postupgrade securityfeaturesauditing securityreviewenhancements ImprovesecurityandImplementnewsecurity complianceprocesses features DevelopnewsecurityLatestsecuritypatches features Upgradehardeningtask CustomizationsecuritySecurityscan reviews 10. ExampleUpgradeSecurityEnhancementsSecuritySecurity ProjectTesting ProjectEnhancement Value Effort RequiredRiskRestrictedDatabaseAccessHigh MediumHigh MediumAuditingHighLowMediumLowEncryptionHighLowHigh MediumSecurityPatchesHighLowMediumLowSecurityHardening Medium LowMediumLowDatabaseAccessControls MediumMediumMediumLowDataScramblingMedium LowLow LowSingleSignon LowHigh HighHigh 11. R12UpgradeImpactedSecurityProcessesOracleApplicationsTechnicalComponents OracleApplications DatabaseApplicationServerOperatingSystem 1.1UserManagement1. AccountSecurity 1.3DatabaseSecurity 1.4NetworkandWeb1.5OSSecurity1.2SegregationofDuties 2.1DataManagement2.2DatabaseAccess2.DataSecurity2.3WebAccess2.4FilePermissionsandPrivacy andPrivilegesOperationalProcesses3.Auditing 3.1ApplicationAuditing3.2DatabaseAuditing 3.3WebLogging3.4OSAuditing4.Monitoringand4.1Application 4.2Database 4.3WebandForms4.4OperatingSystem Troubleshooting 5.1ObjectMigrations 5.3ChangeControl5.Change 5.5ChangeControl5.6ChangeControl Management5.2Application 5.4Database Configuration Configuration 6.3ApplicationServer6.Patching 6.1ApplicationPatches 6.2DatabasePatches 6.4OSPatchesPatches7.3Web7.Development7.1Application 7.2Database7.5ShellandFileTransfer7.4WebServicesandSOA 12. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 13. 11i/R12ArchitectureDifferencesOracleEBS11.5.10.2OracleEBS12.1.3ApplicationServer ApplicationServer circaReplaces 1999JServ JServOC4J ApacheApache 1.3.191.3.34JSP (currentisJSP WebListenerWebListener 1.3.42orBC4J Removed2.2.17) BC4JinR12modplsqlUIXReportsReports8.0.6.3 FormsOracleFormsHome Oracle9iAS1.0.2.2.2OracleAS10g10.1.2/10.1.3Version AppServerDesupported Upgradable ~2005 14. 11i/R12ArchitectureDifferencesOracleDatabaseUpgrade 9.2/10.2replacedwith11.2 11.2hasTDEtablespace encryptionOracleJinitiator >SunJRE Improvedsupportandstandardizationmod_plsql retired Significantsecurityvulnerabilitieshistorically AlloweddirectexecutionofPL/SQLpackagesindatabaseFormsServer>FormsListenerServlet AllnetworktrafficthroughApacheserver nostandaloneportOracleReports>XMLPublisher Improvedsecuritymodelandfeatures 15. CriticalPatchUpdates R12CriticalPatchUpdatesarecumulative 11iintroducedcumulativepatcheswithJanuary2010CPUDatabaseVersion Included CPU EBSVersion Included CPU UpgradePatch10.2.0.4April200812.0.6October200811.1.0.6 October2007 12.1.1 April200911.1.0.7 January2009 12.1.2October200911.2.0.1 January2010 12.1.3January2011*11.2.0.2 January2011 *EstimatedbyIntegrigy 16. R12ApplicationUsersAddedNewapplicationaccountsfrom12.0.0onward INDUSTRYDATA ORACLE12.0.0 ORACLE12.1.0 ORACLE12.2.0 ORACLE12.3.0 ORACLE12.4.0 ORACLE12.5.0 ORACLE12.6.0 ORACLE12.7.0 ORACLE12.8.0 ORACLE12.9.0Allareactiveaccounts with invalid passwords 17. DatabaseAccountsAddedAnewdatabaseaccountisaddedforeachnewproductmodule Databaseaccountsactivewithdefaultpassword Partiallistofnewmoduledatabaseaccounts:CA,DDR,DNA,DPP,FTP,GMO,IBW,INL,IPM,ITA,JMF,MTH,PFT,QPR,RRS, 18. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 19. ProtectingDatabaseAccountsUseAFPASSWDratherthanFNDCPASS LockProductsSchemaAccounts> AFPASSWDLTRUE Improvedseparationofduties Fewererrorschangingpasswordwithpasswordconfirmation entry SeeR12SAG ConfigurationOracle11gcasesensitivepasswords(12.1only) SEC_CASE_SENSITIVE_LOGON=TRUE APPLSYSPUBmustalwaysbeuppercaseChangetheAPPLSYSPUBpassword FinallyworksinR12andsupportedbyOracle AlsomakesurethepasswordischangedinAutoConfig 20. WebServerTrafficEncryption(SSL) ImprovedSSLsupport Changedfrommod_ssl >mod_ossl UsesOracleWalletforstoringcertificates OnlystrongciphersenabledandSSLv2disabled ProvidesAutoConfig supportforsecuringthe majorcommunicationrouteswithSSL. SeeMetalinkNoteID376700.1 21. AdvancedConfigurationWizardsNewAdvancedConfigurationWizardsforcomplexsetupsofadvancedconfigurations AvailablethroughOAM DNSloadbalancing HTTPloadbalancing SSLsetuponwebserver SSLAcceleratorsetup 22. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 23. OracleConnectionManagerOracleConnectionManagerSupported Advancedsecuritytorestrictdatabaseconnections LikeManagedSQL*NetAccess,butonsteroids SeeMetalinkNoteID558959.1 24. RBACandUserManagementRoleBasedAccessControl(RBAC) RBACisanANSIstandardforaccesscontrol Allowsforresponsibilitiestobeassignedthroughroles RoleInheritanceandRoleCategories SeeMetalinkNoteID290525.1OracleUserManagement(UMX) Newuserregistration EnhancedForgetUsername/PasswordFunctionality Newsecuritywizards 25. ProxyUserProxyUserallowsausertospecifyaproxywhocanactontheirbehalf. Forexample,anexecutivecandesignatean assistantasaproxy,allowingthatassistantto Create,editorapprovetransactionsonbehalfof thatexecutiveGenerally,avoiduseduetoauditingissuesCanbeusedtosolvetheconcurrentrequestschedulingproblem 26. PCIPADSSOraclePADSSConsolidatedPatchfor12.1 ReducescomplexityofPCIDSScompliance Fixesmultiplefunctionalweaknesseswhenprocessing andviewingcreditcarddata Doesnoteliminatesignificantmanualconfigurationfor PCIDSS Only12.1isPADSScompliant SeeMetalinkNoteID984283.111iand12.0willnotbePADSScompliant SeeMetalinkNoteID1101213.1 27. R12UpgradeSecurityRecommendationsIncludesecuritytasksthroughouttheupgradeproject Implementhighvalue,loweffortsecurityimprovementsand enhancements LeveragethefreetestingcyclesAdheretotheOracleBestPracticesforOracleEBSsecurity SeeMetalinkNoteID403537.1 WrittenbyIntegrigy Oraclehasnotupdatedsince2007Validatethesecurityconfigurationpostupgrade Performapostupgradesecurityscanorreview Validatecomplianceagainstsecuritybestpractices OracleEBusinessSuiteiscomplexandthedevilisinthe details 28. AgendaImprovingSecurityR12SecurityduringtheUpgradeEnhancementsQ&A 12345 11iandR12 R12New Differences SecurityFeatures 29. UpcomingIntegrigyEventsWebinar:ProtectingYouSensitiveData Wednesday,March16,2pmEDTCOLLABORATE11 OAUGandIOUG ProtectingSensitiveDataintheOracleEBusinessSuite SecuringtheOracleEBusinessSuiteBestPracticesPanel SecurityBootcamp:ReallifeDatabaseSecurityMistakes CreditCardsandOracle:HowtoComplywithPCIDSS ReallifeEBusinessSuiteSecurityMistakes 30.