Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – all other requests are blocked by the default-deny rules. The URL Firewall does not protect against common web attack techniques such as those below – this what WAFs protect against:

  • Denial of Service (DoS)
    • Flooding, recursive & oversized payloads
  • Injection & Malicious Code
    • XXC, SQLi, logic bombs, malformed content
  • Confidentiality and Integrigy
    • Parameter tampering, schema poisoning
  • Reconnaissance Attacks
    • Scanning and registry disclosure
  • Privilege Escalation Attacks
    • Race condition, format string, buffer overflow

Additional protection is required to secure Internet facing Oracle E-Business Suite web services. Third party WAFs can certainly be deployed, but Oracle Corporation’s API Gateway offers a compelling advantage for Oracle E-Business Suite clients. The API Gateway is a separate license option and is placed in front of the SOA Server (also a separate license option) to defend against the common web attack techniques specific to web services as identified above.

If you have any questions, please contact us at

-Michael Miller, CISSP-ISSMP, CCSP, CCSK



 Share this post