Friday, March 1, 2013

Oracle HAS done some good things in the past few years...

Oracle HAS done some good things in the past few years...

Before I post another scathing criticism of Oracle and their GRC strategy, I thought I'd post something positive about things Oracle has done to their good in the past couple of years.

I follow close a few key MOS notes related to security.  One is the "Secure ConfigurationGuide for Oracle E-Business Suite".  The R12 version is 4035371.1 and the 11i version is 189367.1.  It used to be called "Best Practices for Securing Oracle E-Business Suite".  However, I am guessing the lawyers suggested to drop the 'best practices' in the title because it implies 'completeness' of recommendations.  I agree that these documents haven't been (and are still not) complete so I can't blame the lawyers for presumably getting them to drop the language.  If I was a lawyer, that is what I would have recommended.

Having said this, I'd like to acknowledge a couple of things Oracle has done well.  In 403537.1, they have released a series of scripts  to test for some of the issues identified in this document.  We have not evaluated the 'completeness' of these scripts, but partner firms of ours have and believe there is still many, many gaps.

Oracle has also released a new document (last October) 1334930.1 that 'breaks out' certain material that was previously a part of the 403537.1 document.  In this document, they have released a new powerful SQL script to identify the sensitive access pages (forms that have serious security holes in them like the ability to run ad hoc SQL scripts , OS scripts, SQL injection, etc.).

For auditors and IT professionals that are looking for a good starting point in assessing some of these security issues, Oracle has finally given you some scripts to use as a starting point.

The only caveat is... don't assume that information is complete.  As of this writing, we have identified four forms that allows SQL statements that are not on their list.  There were two others that we had identified in years past that weren't on the earlier versions of their documents that are now included on them.  As we identify new ones, we are uploading our findings into the Internal Controls Repository which is a repository we provide for end user organizations (sign up at:

Ok.  So now I can't be accused of never saying nice things about Oracle. The next blog I'll be back to my old critical self.  Have a great day and good luck overcoming Oracle Security Hell - as I like to affectionately call my business life :-)

Your self-appointed Audit Trail Evangelist,
Jeffrey T. Hare, CPA CISA CIA