Oracle has updated the "Best Practices for Securing Oracle E-Business Suite" for Release 12.  The new Metalink Note ID is 403537.1.  Overall, there are very few changes to the document and mostly the changes are only to reflect the new R12 documentation.

The most significant changes to security for R12 are

• The introduction of the $INSTANCE_TOP, which consolidates all the configuration files and logs into a central location.  This centralization should make monitoring of logs and configuration changes much easier.
  
• Elimination of modpsql (PL/SQL Gateway), which was the source of numerous security vulnerabilities.

Otherwise, all important security features in R12 are available in 11.5.10CU2 or 11i.ATG_PF.H RUP4.

Occasionally, there is a need to expire all application user passwords in Oracle Applications 11i.  Oracle now provides a script to expire all users passwords in 11i.ATG_PF.H RUP4.  The script is located in $FND_TOP/patch/115/sql/AFCPEXPIRE.sql.  It can be executed using SQL*Plus or as the concurrent program "CP SQL*Plus Expire FND_USER Passwords".

AFCPEXPIRE.sql is a very simple script and is a single update statement that sets the PASSWORD_DATE column to null in FND_USER.

However, due to the ability to decrypt the application user passwords, expiring all users passwords in cloned instances is not an acceptable practice.  Rather, all passwords must be changed when cloning.  In 11.5.10+, the reset password feature can be used for users to access the cloned instance.