Research

This is the fourth consecutive blog post in our series on how to make Oracle E-Business Suite more secure. In this post, we will focus on reducing the attack surface - something that is a critical component for any successful information security strategy. The more you can reduce the components that are exposed to attackers (and to vulnerabilities), the more you can focus on keeping your exposed systems secure. In Oracle E-Business Suite, this feature is called Allowed JSPs and Allowed resources.

For a third week, we’re providing you with best practices for securing your Oracle E-Business Suite implementation. Today, we are going to talk about a common topic: password security. When it comes to password policy, the first thing that probably comes to mind is having a secure password. That is why in addition to all network security layers, it is very important to have a proper password policy, along with a users list and groups so to follow a guideline of how passwords are formed.

Last week, we begin a blogpost series with the objective of reviewing Oracle E-Business Suite Security. The first publication detailed how to activate the Server Security Feature, and in today’s post we will focus on password hashing. We will analyze the different types of hashing and how it is implemented in Oracle E-Business Suite.

As most of our regular readers may know, the Onapsis Research Labs have been working on developing Oracle Security for several months. We’ve done this by updating our readers with analysis on quarterly patch updates, and to date have released over one hundred advisories for this platform. In our continous goal to provide the industry with greater resources to secure their business critical applications, starting today we will be publishing a series of weekly blog posts focusing on different areas of protecting Oracle E-Business Suite.

Yesterday, Oracle released its quarterly security patches and what a record breaking CPU it was! With close to 300 published patches, this marks the highest number of patches released to date for any CPU. This further validates the trend we have seen in previous CPU’s which is  to correct more vulnerabilities in Oracle products due to increased research submissions targeting different Oracle products.

While only in release candidate form, the current proposed changes to the OWASP Top 10 Application Security Risks provide clear guidance for any enterprise that needs to secure and protect their critical enterprise business applications. In general, the OWASP Top 10 and these two additions can be directly applied to an approach and methodology for securing ERP based business applications and systems.

In this month's post we will analyze the January 2017 Oracle Critical Patch Update (CPU) and how it relates to Oracle Business Critical Applications. This CPU is special because the number of vulnerabilities fixed sets a new record for the amount of vulnerabilities fixed in a single CPU for Business Critical Applications. At Onapsis, we believe there are two main factors that contribute to this record breaking number of vulnerabilities in a single CPU. These two factors are the Researchers and of course, Oracle itself.

SAP HANA evolved a lot in 2016, as did security focused on this critical platform. The year ended with the release of the “new generation” version, SAP HANA 2. Starting in early December, customers have been able to upgrade to this new version that SAP explains as big enough not to call it SAP HANA SP13. This new release is another testament to the success of SAP HANA adoption and will continue to increase the amount of customers that are moving to the world of the SAP in-memory database.

So, 2017 begins... and the first Patch Day has arrived. Today, SAP published its first Security Notes post of the year, making a total of 24 notes (21 published today) since the last Security Notes Tuesday in December. The amount of security corrections for each month starts consistent with last year (keeping the average of 25 SAP Security Notes per month). Today SAP published, for the second month in a row, SAP Security Notes for SAP ERP Defense Forces and Public Security.