Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors. To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect. This also makes the Oracle E-Business Suite, like other ERP platforms, vulnerable to automated attacks. Threat actors only need to compromise one publically facing URL or web service, which given the size and complexity of the Oracle E-Business Suite, makes securing it a somewhat daunting task.
Starting with version 12.1 and continuing with 12.2, the Oracle E-Business Suite delivers a considerable amount of new web services and Mobile functionality as standard core functionality. Much, if not most, of this new Mobile and web services functionality, replicates functionality previously only available through the traditional user interface forms and/or public interfaces and these new web services can be easily deployed on the Internet through a DMZ node. The security implications of 12.2’s increased web services capabilities is that the Oracle E-Business Suite’s attack surface has increased and harder to defend.
This blog series summarize the new Mobile and web services functionality and review their security features before recommending best practices for using them securely.
If you have any questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP, CCSP, CCSK
- Oracle E-Business Suite Mobile and Web Services Security – Integrigy Whitepaper
- Oracle E-Business Suite Mobile and Web Services Security – Integrigy Webinar
- Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)