Oracle has finally certified the use of Advanced Security Option/Advanced Network Option for encryption of SQL*Net traffic between the database and application servers.  This certification had been promised for several years.The Advanced...

As I have previously discussed (here and here), Oracle is requiring recent ATG rollup patches to be installed as prerequisites for the Critical Patch Updates.  The ATG_PF rollups are generally released every 6 months.  For ATG_PF.H the...

Oracle is now pushing all 11.5.10 implementations even harder in terms of mandating minimum patch levels.  The October 2006 Critical Patch Update (CPU) will require at least ATG_PF.H.RUP3 and ATG_PF.H.RUP4 is recommended.  These patches...

The Federal Information Security Management Act (FISMA) of 2002 requires all government agencies to submit to the Office of Management and Budget an annual evaluation of IT security across the agency.  The overall results of these reports are...

Oracle has updated the Oracle Applications 11i DMZ Configuration document (Metalink Note ID 287176.1).  "Oracle E-Business Suite 11i Configuration in a DMZ" is the definitive reference for implementing Oracle Applications in a DMZ...

There was very little press coverage regarding Oracle security from last week's Black Hat security conference in Las Vegas.  I am a little surprised about the lack of attention in the media regarding Pete Finnigan's presentation on unwrapping...

You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week.  The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week.  Every year...

There are currently three major un-patched and published Oracle Database security bugs and all three bugs impact the Oracle E-Business Suite. All Oracle Applications 11i implementations should review the possible impact on their installations to...

We have released our E-Business Technology Stack Support Matrix for the Oracle Critical Patch Update (CPU) July 2006. The supported technology stack versions required by Oracle’s Critical Patch Updates (CPU) may be different from the certified...

Google is such a powerful tool and people are finding new ways to exploit its capabilities. The newest use is to find security bugs in open source code, since much of this code is published in code repositories indexed by Google. Google searches...

Oracle has decided not to release any security fixes in the July 2006 Critical Patch Update for Oracle E-Business Suite releases 11.5.1 - 11.5.6. This may come as a shock to more than a few customers since the official Desupport date for 11.5.1 to...

A frequent topic of discussion after any security assessment or review by auditors is the setting of O7_DICTIONARY_ACCESSIBILITY in Oracle Applications. 07_DICTIONARY_ACCESSIBILITY is a database initialization parameter that controls access to...

The APPLSYSPUB account is used by Oracle Applications to initially connect to the database and establish a session. This account normally should have limited privileges. However, during our audits the permissions assigned to APPLSYSPUB and PUBLIC...

The Oracle Applications Security Blog will be an unique analysis and commentary on Oracle related security topics, especially related to Oracle Applications (the official product name is "Oracle E-Business Suite"). Since the Oracle Applications...