Session ID:

Prepared by:

Remember to complete your evaluation for this session within the app!

Steps to Stay Secure with Security Configuration Console in Oracle E-Business Suite

Cristian PequeOracle Security SpecialistOnapsis, Inc.

Mike MillerProduct ArchitectOnapsis Inc.

10739

April 8, 2019

About Onapsis

2

• Oracle EBS Security Resources

• What Is the Security Console

• Defining a Process and Program for Security

Agenda

3

Oracle E-Business Suite Security Resources

4

Evolution of the Security Console

2017: Additional checks added

2016: Security Console launched (Doc ID 2311308.1)

2015: Security Configuration and Auditing Scripts (Doc ID 2069190.1)

2011: E-Business Suite Diagnostic Tests Catalog for 12.1.2 (Doc ID 942527.1)

Prior: Security check scripts as part of the EBS Security Guide

EBS Security Documentation

Security Guide: APPENDIX E

Security Configuration Scripts SQL Scripts

● Check Profile Errors - EBSCheckProfileErrors.sql ● Check Profile Warnings - EBSCheckProfileWarnings.sql● Check Missing Profiles - EBSCheckProfileMissing.sql● Check if new Security Features (in 12.2) are enabled -

EBSCheckSecurityFeatures.sql ● Check Application Users With Default Passwords -

EBSCheckUserPasswords.sql● Check DB Users With Default Passwords -

EBSCheckDBPasswords.sql● Secure APPLSYSPUB - EBSCheckApplsyspubPrivs.sql● Migrate to Password Hash -

EBSCheckHashedPasswords.sql ● Use Secure Flag on DBC File (Implement Server Security) -

EBSCheckServerSecurity.sql● Enable Application Tier Secure Socket Layer (SSL) -

EBSCheckSSL.sql● Encrypt Credit Card Data - EBSCheckCCEncryption.sql● Separation of Duties: Review Access To "Sensitive

Administrative Pages" - EBSCheckSensitivePageAccess.sql● Check status of 12.2 security features -

EBSCheckSecurityFeatures.sqlShell scripts:

● Validate that Forms Block Characters is set correctly - EBSCheckFormsBlockChar.sh

● Turn on ModSecurity - EBSCheckModSecurity.sh

Support Doc ID (2069190.1)

EBS Diagnostic Scripts

What Is the Security Console

10

Oracle EBS Security Console

• What is it?– Standard functionality of EBS to provide a snapshot of security health– Set of High Priority security configuration checks– For more info, see the Security Guide Release 12.2 ( E22952-22)

• How to get it? – Upgrade to the latest ATG_PF Release Update Pack with 12.2.6+– 12.1.3 backport with patch 26090737

Where Is the Security Console and What Does It Look Like?

20+ High Priority Checks

Technical notes, documentation and detailed instructions - highly technical

Checks: 1-10

Look Familiar?

Checks: 11-20

Looking for ModSecurity setup note: Fusion Middleware Administrator's Guide for Oracle HTTP Server https://docs.oracle.com/cd/E29542_01/web.1111/e10144/config_mod_sec.htm#CIHDAHJI

Checks: 21-24

Security Console: Key Design Features● Provides a graphical user interface to existing security health check

scripts● After installation (or upgrade/patching), end-user logins are completely

restricted and blocked in "Locked Down" mode○ No users can access the system!

● EBS can only be “unlocked” after an admin resolves, acknowledges or mutes security issues within the Security Console○ One time event

● Once “unlocked” the Security Console is available in the ‘'Functional Administrator' responsibility

Is it the Easy Button for Security?

How to Stay Secure As A Process

18

How to Stay Secure with the Security Console

• By all means– Read the documentation to use the security config health check scripts– Use the Diagnostic Utilities (additional checks for: database, SOA

Gateway etc...)– Use the Security Console– Make full use of all the tools and utilities that Oracle gives you

• The question is HOW to use them– When they should be used– Who is receiving what output and information– Who is making what decisions

Security Is a Process- Security is NOT provided by any one tool, team, technology or vendor

- The Security Console only looks for High Priority issues- The process of security is continuous

- What happens to things after go-live - People create security through discussion and decision making

- Target audience for the Security Console is not risk decision makers- Not possible and/or feasible for the Security Console to automatically

send issues to IT governance solutions such as ticket systems, GRC or SIEM solutions

- Need formal processes to continuously communicate risk to all parties: Risk, Security, Compliance and IT- “Power checking” to “unlock” EBS does not create security

Be Curious - There Is Much More to Think AboutHere are a few recommendations for securing the Oracle EBS

Model based on Gartner’s Adaptive Attack Protection (April 2018)

Continuous Monitoring, Measuring & Learning

Detect & Respond Prevent & Protect

Discover & Define

Remediate & Comply

Assess & Prioritize

ERP Cybersecurity Is a Continuous Process

Security Is Created by People Communicating

23

Onapsis Sessions At Collaborate & Visit Booth #327Oracle E-Business Suite: Key Audit & Compliance Advantages to Running in the CloudMonday, April 8 3:15 PM GH 4TH FL Texas Salon D

Steps to Stay Secure with Security Configuration Console in Oracle E-Business SuiteMonday, April 8 4:30 PM GH 4TH FL Texas Salon B

Hackproofing and Protecting Oracle E-Business SuiteWednesday, April 10 8:00 AM GH 4TH FL Crockett D

How to Implement Oracle Critical Patch Updates for EBSThursday, April 11 10:30 AM GH 4TH FL Seguin B

24

10739

25