Friday, March 19, 2010

Another example of Oracle not focusing on Best Practices

Look at Metalink Note 227010.1. This note is for "Script to check for Default Passwords being used for some common usernames."

Why just 'common' usernames? Why not all usernames? Why can't they maintain this document and the related test scripts for all known usernames? Would it be so difficult to put into their development QA process to update this document when a new schema is added or another type of default database user is added? It is ironic that this script published doesn't even take into account all the usernames suggested to monitor in their own "Best Practices" document - 189367.1 and 403537.1 which aren't being maintained (reference earlier blog).

Yet another example... Oracle, where is your Norman?

Oracle needs to focus on Best Practices

Arggghhh.... Look at Metalink Note 403537.1 - Best Practices for Securing Oracle E-Business Suite Release 12. It was last updated February 27, 2007. Yes... that is not a typo - 2007. The last update to this document was over three years ago. Is it possible that nothing has changed or nothing needed to be added to this document in over three years? Hardly the case. A lot has changed since then. New products have been launched and many new features have been added to existing applications. That SHOULD mean that new recommendations need to be added to the document - two obvious ones are new seeded database users and new seeded application users. We at ERP Risk Advisors have identified 10 new seeded application users {see Internal Controls Repository (for end users only) at: for more on this topic}.

If Oracle is going to produce a best practices document it needs to maintain the document or provide a caveat stating that the document is a sampling of best practices that should not be relied upon as a comprehensive list. Just my two cents...

Email me with comments at

Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors / ERP Seminars