The Federal Information Security Management Act (FISMA) of 2002 requires all government agencies to submit to the Office of Management and Budget an annual evaluation of IT security across the agency.  The overall results of these reports are complied and reported in the annual "Federal Computer Security Report Card", which scored the Federal government a D+. 

One aspect of the evaluation process relates to the use of configuration policies for Oracle.  We reviewed the publicly available agency reports to compile an Oracle-specific report card to see how agencies are doing with one small slice of FISMA.  Of the 24 agencies, 10 have published the entire FISMA report.

The results are not encouraging -- even agencies that achieved high overall scores have not implemented configuration policies for Oracle.  The overall Oracle grade is a D- for the Federal government.

FISMA is much maligned as mostly a paperwork exercise and does little in reality to improve overall information security.  However, most Oracle security experts agree that applying a well-defined configuration policy or security checklist can dramatically improve database security.  A key factor to the success of such a configuration policy is that it can handle application-specific exceptions.  There are a number of very good security checklists available including the Center for Internet Security Oracle Benchmark and the DoD Database STIG.

We looked at the FISMA and Oracle compliance because we believe using standard configuration policies can benefit most, if not all, Oracle implementations.

Reference:

FISMA and Oracle: 2005 Report Card

Oracle has updated the Oracle Applications 11i DMZ Configuration document (Metalink Note ID 287176.1).  "Oracle E-Business Suite 11i Configuration in a DMZ" is the definitive reference for implementing Oracle Applications in a DMZ that is externally accessible.  All the recommendations in this document should be closely followed and appropriately penetration tested prior to implementation.  We often find significant security issues in implementations due to minor configuration changes or skipped steps.

The updates primarily relate to the recent support for SSO in a DMZ configuration.  Oracle has released the configuration build 4.0 for the integration of Oracle Application Server 10g (10.1.2.0.2) and Oracle Applications 11i (Metalink Note ID 233436.1).  The major change from 3.2 to 4.0 is the new support for SSO in the DMZ and the support of SSL with Oracle Internet Directory.  Appendix G contains the information for implementing SSO in the DMZ.  This support does required 11.5.10 ATG Rollup Patch 4 be installed.

It is important to note that Oracle only supports 11.5.9 and 11.5.10 with significant patches and configuration changes to be externally accessible from the Internet.  All other releases are highly vulnerable and should never be directly accessible from the Internet.

The entire SSO configuration with Oracle Applications 11i has greatly improved, but is still a work in progress.  If you are planning on implementing advanced or complex configurations (DMZ, integration with third-party LDAP servers, etc.), be prepared for a lengthy and time consuming implementation.  Also, carefully examine the true benefits vs. costs (time and additional licenses), since the external directory integration with Oracle Applications is very limited at this time.

There was very little press coverage regarding Oracle security from last week's Black Hat security conference in Las Vegas.  I am a little surprised about the lack of attention in the media regarding Pete Finnigan's presentation on unwrapping PL/SQL code. 

Few Oracle DBAs and developers are aware just how weak the Oracle wrapping method is (although improved in 10g).  Sensitive packaged applications (banking, etc.) are usually delivered with wrapped PL/SQL packages and developers often wrap encryption related packages in applications.  The protecting and storing of encryption keys for an application can be a difficult challenge, which is usually solved by wrapping the package rather than using Oracle Wallet or some other more secure mechanism.

Pete's presentation provides excellent insight into how Oracle's simplistic wrapping mechanism works and highlights why no one should consider wrapping PL/SQL as a safe method to deliver applications or to protect encryption keys.  There is more than enough technical detail in his presentation to provide any motivated Oracle developer enough information to unwrap PL/SQL.

You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week.  The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week.  Every year this conference gets significant media exposure -- last year was the controversy regarding Cisco and Michael Lynn.  There doesn't seem to be any major headlines this year, so the press may be digging for stories.

A number of Oracle security experts are presenting on various topics and the press is always looking for dirt on Oracle.  Here is a quick overview of the Oracle related presentations --

1. "How to Unwrap Oracle PL/SQL" by Pete Finnigan - Most DBAs assume that wrapped Oracle code is fairly secure and this is often used to protect sensitive code and encryption keys.  This presentation will debunk this myth and show actually how easy it is unwrap the code.  The press will jump on this presentation as another example on how Oracle is not secure.  I think the true story is that many more bug hunters will now have access to the wrapped source code of standard Oracle packages and in the coming months you will see an increase in the number of Oracle security bug reports.
   
2. "Oracle Rootkits 2.0: The Next Generation" by Alexander Kornbrust - Alex has presented on Oracle rootkits before, but has refined and expanded the Oracle rootkit concept.
   
3. "TBA" by David Litchfield - Again this year David has not released the topic of his talk.  At previous conferences, David has released information regarding un-patched Oracle vulnerabilities.  It will be interesting to see what presentation topic is this year.