At Onapsis we are dedicated to continuously improving security in business-critical applications. Today Onapsis Research Labs released the first Oracle Security In-Depth (OSID) paper. After several years (and 13 different documents) of publishing SAP Security In-Depth (SSID), we are increasing our library to now include Oracle applications. The main idea of this kind of paper is to have a deeper understanding of a specific subject, in this case, Oracle E-Business Suite Security. The first paper is titled “An Introduction To Oracle E-Business Suite Application Security”.
In this first OSID publication you will find a brief introduction to Oracle E-Business Suite and its history, information about the architecture and principal build components for Oracle E-Business Suite and its common exposure to the internet. We will then explain the content of Critical Patch Updates (CPU) and show some graphs to understand the vulnerabilities, their impact and Onapsis’ contribution of reporting vulnerabilities that were then fixed by Oracle. The following bar chart shows Oracle CPU’s evolution:
In the chart above, the bars represent the average CVSS in a specific CPU and the dots represent the maximum CVSS in this release. The numbers on the top of the bar represent the number of vulnerabilities published in each CPU. As can be seen in the last few years there is a clear trend in which, for EBS, Oracle has patched more vulnerabilities each CPU in average. These vulnerabilities also contain a higher impact and CVSS (risk). This is more or less aligned with the global trend in the information security industry and specifically in the business-critical application security field.
Another topic included in the paper is about security best practices, such as user responsibilities and password management, among others. Additionally, the implementation of cryptographic algorithms in Oracle E-Business Suite is reviewed, such as user password hashing and encrypted communication between client and server.
Finally, the bulk of the paper talks about the Open Web Application Security Project (OWASP) Top 10 vulnerabilities, which, as you may know, is the reference for web applications vulnerabilities. We review its famous TOP10 and link it to specific Oracle E-Business Suite vulnerabilities and best practices, such as SQL Injection, Cross-Site Scripting, Sensitive Data Exposure or attack surface reduction and more.
We fully believe that this paper is the best starting point for anyone who wants to get into E-Business Suite Application Security and we invite you to download the full document.
Onapsis Research Labs has been and will continue to release several blog posts on Oracle Security, so stay tuned to our site as we continue to publish about this topic.