Personal tools
You are here: Home Security Resources Whitepapers and Presentations
Navigation
 
Document Actions

Whitepapers and Presentations

Up one level
IOUG - Real-life Database Security Mistakes
IOUG COLLABORATE 08 Presentation - You did everything by the book, followed the database security checklists, and implemented security best practices, but one day you find significant security issues in one of your databases. How did this happen? After auditing hundreds of databases, I have compiled a list of common database security mistakes and potentials causes of each mistake. Learn from other's mistakes and what you can do to prevent these mistakes from happening on your watch. Common database security mistakes can impact every aspect of the Oracle Database and include reappearing default passwords, misapplied Critical Patch Update security patches, and wayward privileges and grants. Time is the chief enemy of database security as many security mistakes are innocently introduced over time, so security needs to be a process rather than a one-time task.
IOUG - Oracle Database Critical Patch Updates Unwrapped
IOUG COLLABORATE 08 Presentation - Ever wonder what is being fixed in an Oracle Critical Patch Update? As a follow-up to the 2007 IOUG SELECT Journal article "Oracle Critical Patch Updates: Common Questions", this session will provide an inside look at the Critical Patch Updates (CPU) and the security bugs fixed by the CPU patches. Understand what are buffer overflows and SQL injection attacks by seeing how these types of security bugs compromise the security of the database. Learn about the complexities of the CPU patches including certification issues, patch differences across operating systems, and why the latest database version may have not yet released security fixes. Best practices for installing and testing CPU patches will be discussed.
OAUG - Oracle E-Business Suite Critical Patch Updates: Insight and Understanding
OAUG COLLABORATE 08 Presentation - Security bugs in Oracle Applications are fixed by Oracle on a quarterly basis with Critical Patch Updates (CPU). The security researcher who has discovered many of these bugs will provide insight into the types of security issues fixed by these patches. Understand what are buffer overflows and SQL injection attacks by seeing how these types of security bugs compromise the security of Oracle Applications. Best practices for installing and testing CPU patches will be discussed.
Building an Audit Trail in an Oracle Applications Environment
Sarbanes-Oxley’s section 404 requires a company’s key systems be audited. However, many companies have 'unauditable' systems and don’t even know it. This paper explores methods by which companies can create an auditable system by implementing various levels of audit trails in Oracle Applications. This paper was co-written with Jeffrey Hare of ERP Seminars and was the featured article in the Spring 2006 issue of OAUG Insight magazine.
Oracle Database Listener Security Guide
A guide to properly securing the Oracle Database Listener. Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. An overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are provided.
Oracle Applications 11i Security Quick Reference
A quick reference card with important security information for Oracle Applications 11i. This handy card lists default user accounts, default ports, important patches, and auditing setups.
Credit Cards and Oracle Applications: Security and PCI Compliance Issues
Credit card data breaches are headline news, thus organizations must properly protect credit card data or risk being tomorrow's headline. Oracle Applications implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) security standards regardless of size or transaction volume. PCI is focused on securely handling cardholder data, but also has a significant emphasis on general IT security. The difficultly with Oracle Applications and achieving PCI compliance is that even though credit card processing may be only a one minor feature, the entire application installation must be fully PCI compliant due to the tight-integration and data model of Oracle Applications. This presentation will review the credit card processing within Oracle Applications and will provide general guidance for Oracle Applications implementations on securing cardholder data and complying with relevant PCI requirements.
An Introduction to SQL Injection Attacks for Oracle Developers
Most application developers underestimate the risk of SQL injections attacks against web applications that use Oracle as the back-end database. This paper is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable.
Hashing Credit Card Numbers: Unsafe Application Practices
Cryptographic hash functions seem to be an ideal method for protecting and securely storing credit card numbers in ecommerce and payment applications. A hash function generates a secure, one-way digital fingerprint that is irreversible and meets frequent business requirements for searching and matching of card numbers. However, due to the predictability of credit card numbers and common business requirements in processing credit cards, ecommerce and payment applications may implement such hashing of card numbers in an unsafe manner that allows an attacker to obtain a large percentage of card numbers by brute forcing compromised hashes in a matter of hours. This paper is an analysis of actual application practices for storing of credit card number hashes and a review of brute force attack methods against such hashes. The impetus for this paper was identification of this issue during multiple application security assessments. The objective is to highlight the weakness of common credit card hashing techniques and to educate application architects and programmers on the issues of storing credit card numbers as hashes.
Oracle Applications 11i: Credit Cards and PCI Compliance Issues
All Oracle Applications implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) Data Security Standard 1.1 regardless of size or transaction volume. The PCI Data Security Standard (DSS) 1.1 is a set of stringent security requirements for networks, network devices, servers, and applications. The difficultly with Oracle Applications and achieving PCI compliance is that even though credit card processing may be only a one minor feature of the application, the entire application installation must be fully PCI DSS compliant due to the tight-integration and data model of Oracle Applications. This paper reviews the credit card processing features of Oracle Applications and provides general guidance for Oracle Applications implementations on complying with relevant PCI DSS requirements.
Oracle Applications Password Decryption
Most Oracle Applications 11i implementations are vulnerable to a significant security weakness in the encryption of passwords within the application where an insider may be able to circumvent all application controls by accessing any application account or obtain the APPS database account password. This issue is really a "perfect storm" with the convergence of (1) an inherent architectural weakness in the application, (2) generally accepted insecure operational procedures for ad-hoc query access and cloning, and (3) multiple examples of effective, easy to execute exploit code for decrypting application passwords.
Evading Network-Based Oracle Database Intrusion Detection Systems
With the advent of legislative mandates like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), the security and auditing of Oracle Databases has become much more of a priority for most organizations. A common solution has been to implement an Oracle-aware Intrusion Detection System (IDS) or auditing product to address these legislative mandates and increased auditor scrutiny. This paper looks at a number of techniques that may be used to evade such Oracle intrusion detection and auditing solutions, especially signature-based solutions.
FISMA and Oracle: 2005 Report Card
The Federal Information Security Management Act (FISMA) of 2002 requires all government agencies to submit to the Office of Management and Budget an annual evaluation of IT security across the agency. The overall results of these reports are complied and reported in the annual "Federal Computer Security Report Card", which scored the Federal government a D+. One aspect of the evaluation process relates to the use of configuration policies for Oracle. We reviewed the publicly available agency reports to compile an Oracle-specific report card to see how agencies are doing with one small slice of FISMA. The results are not encouraging -- even agencies that achieved high overall scores have not implemented configuration policies for Oracle. The overall Oracle grade is a D-.
DBA Guide to Understanding Sarbanes-Oxley (SOX) [Whitepaper]
The Sarbanes-Oxley Act (SOX) never mentions the words database or data, however, DBAs must ensure their databases are in compliance with Sarbanes-Oxley. Sarbanes-Oxley Section 404 simply states that management has the responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” How does this sentence relate to a database being compliant with Sarbanes-Oxley? Well, directly it doesn’t. But since the Oracle Applications 11i database contains data related to financial reporting and manipulation of this data “could adversely affect the company’s ability to record, process, summarize, and report financial data”, the Oracle Applications database must be compliant with the requirements of Sarbanes-Oxley for effective internal controls as stated in Sections 302 and 404 of the Act.
DBA Guide to Understanding Sarbanes-Oxley (SOX) [Presentation]
The Sarbanes-Oxley Act (SOX) never mentions the words database or data, however, DBAs must ensure their databases are in compliance with Sarbanes-Oxley. Sarbanes-Oxley Section 404 simply states that management has the responsibility “for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” How does this sentence relate to a database being compliant with Sarbanes-Oxley? Well, directly it doesn’t. But since the Oracle Applications 11i database contains data related to financial reporting and manipulation of this data “could adversely affect the company’s ability to record, process, summarize, and report financial data”, the Oracle Applications database must be compliant with the requirements of Sarbanes-Oxley for effective internal controls as stated in Sections 302 and 404 of the Act.
Introduction to Oracle Applications Security Best Practices
A brief introduction to security best practices in an Oracle Applications environment. This presentation looks at IT Security challenges in an Oracle Applications implementation, overviews the Oracle Critical Patch Update process, and introduces a model for Sarbanes-Oxley (SOX) compliance.
Guide to Auditing in Oracle Applications
A guide to the auditing capabilities within Oracle Applications 11i. The different auditing features of the Oracle database and Oracle Applications are discussed in detail with step by step configuration, access information, and purging details.
Oracle Current Security Issues
One of the world's leading Oracle security experts, Integrigy's CTO Stephen Kost, provides an analysis of recent events related to Oracle Database security. This presentation provides background and unique insight into the Oracle patching process (Quarterly Critical Patch Updates), weaknesses in the Oracle Database password hash algorithm, and the Oracle Voyager worm.
The Basics of Installing and Running Oracle Applications 11i Securely
Consider the impact if your core manufacturing system is brought down for a day, your general ledger data is hopelessly corrupted during year-end close, or your sensitive human resources data for every employee is stolen. Oracle Applications is often a company's most important application and the consequences of having it compromised could be catastrophic. However, usually little effort is spent to properly secure Oracle Applications from real-world threats and common types of attacks due to implementation time constraints, limited IT budgets, and a lack of understanding of critical security issues. Security must be addressed during the installation, configuration, and management of Oracle Applications. Best practices and techniques to minimize security risks and issues associated with implementing and managing Oracle Applications will be discussed – topics will include required changes to profile options and configuration settings, auditing, user management, change management, and customizations.
Securing 11i - What Did You Miss?
Consider the impact if your core manufacturing system is brought down for a day, your general ledger data is hopelessly corrupted during year-end close, or your sensitive human resources data for every employee is stolen. Oracle Applications is often a company's most important application and the consequences of having it compromised or damaged by malicious employees, hackers, or even cyber terrorists could be catastrophic. However, usually little effort is spent to properly secure Oracle Applications from real-world threats and common types of attacks due to implementation time constraints, limited IT budgets, and a lack of understanding of critical security issues. Application security is more important than ever due to the increased level of threats and the possible legal implications of legislation like Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and California SB 1386. The major security risks and problems associated with implementing Oracle Applications will be reviewed and how to properly protect your implementation. From IT executives to system administrators to database administrators, understanding what needs to be secured and a cost effective method for doing it will help to protect your organization's investment in Oracle Applications.
Securing Oracle Applications - What You Need to Know
The infrastructure underlying Oracle Applications is often not well understood and thus sometimes not properly secured. Networks, web servers, application servers, and databases need to be carefully reviewed to ensure an environment that is well protected against both internal and external attacks. Most database and application administrators are not familiar with the nuances of the different components in the technology stack and must know how to properly configure the entire technology stack for a secure implementation. This presentation explains in detail security implications and issues related to deploying the Oracle Applications 11i infrastructure. It provides guidelines for configuring security of web servers, application servers, databases, and Oracle Applications.
Securing the Oracle Applications Infrastructure
This Oracle AppsWorld presentation explains in detail security implications and issues related to deploying the Oracle Applications 11.0 and 11i infrastructure. It provides guidelines for configuring security in Web servers, application servers, databases, and Oracle Applications. It also covers a security model for custom-developed components, including interfaces and database links.