Monday, January 30, 2017

Security standards for Oracle E-Business Suite; the good, the bad, the ugly...

Security Standards for Oracle E-Business Suite; the good, the bad the ugly

Organizations that use Oracle E-Business Suite rely on the quality and completeness of the guidance provided to them by Oracle through My Oracle Support (MOS).  There are several documents that organizations should know like the back of their hand and should have documented their compliance with the recommendations in detail.   One such document is MOS Note 403537.1 – Secure Configuration Guide for Oracle E-Business Suite.  Compliance with this document prior to going live is a necessity.  Because of changes being introduced by users, DBAs, security administrators, developers, and via patches provided by Oracle, compliance needs to be reviewed and re-tested on a regular basis. 

Over the last 10 years we have uncovered several issues with this document.  We have published our findings from time to time and Oracle has acknowledged use of our feedback in their documentation.   Recently we have identified four other issues that we’d like to address that frankly has us questioning the quality and completeness of the document as well as questioning the quality and completeness of the internal processes that should be influencing this document.

I wrote an article documenting the pros and cons of this document that I’d encourage you to download and read.  The MOS Note presents various risks that organizations need to be aware of and Oracle provides some recommendations related to these risks.  You can access this article here. 


I have identified several major issues with this MOS note.  Why isn’t Oracle updating their documentation when they release new forms that allow SQL injection?  Could it be the problem is with their development standards and peer review process?  Are they not identifying these risks as part of their development process?  If so, isn’t that a bigger concern.  Perhaps this is why they have backed off making ‘best practice’ recommendations. 

Why doesn’t Oracle see the ability to decrypt credit card and bank account data as a security risk?

How is it these deficiencies exist in their documentation (failure to identify that JTF_FM_QUERY is a view and that they aren’t monitoring the ALR_ACTIONS table) and have gone unnoticed for over three years from the release of this guidance in September 2011?  The only logical conclusion is they are not implementing and testing their own guidance.

Over the past few years, we have noted deficiencies in the easiest of these recommendations – seeded application users and seeded database users.  We have also identified four new functions which allow SQL injection that have not been updated in their documentation.  At one point, there were five, but two of them have been since added to their documentation.  We have published the three functions above.

My concern is that organizations relying on this guidance have a false sense of ‘security’ if they follow this guidance.  Following this ‘guidance’ is certainly necessary at a minimum, but additional risks exist that Oracle isn’t adding to their documentation.  We’d love to see Oracle increase its effectiveness which can only be done by taking a hard look at their internal standards and setting a regular schedule for testing their guidance and updating this documentation.  Compliance with this document is necessary, but with Oracle, sometimes you need to fill in the blanks…

Recommended Services from ERP Risk Advisors

We offer assessment services that can evaluate your organization’s compliance with part or all of the recommendations in this MOS Note along with other high risks not considered by Oracle.  This engagement can range from one to six weeks.

Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service through our partner, CaoSys.

Contact us at  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consulting as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at

About ERP Risk Advisors

ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies such as Oracle, CaoSys, Smart ERP Solutions, and MentiSoftware.

About Jeffrey T. Hare, CPA CISA CIA

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United Kingdom.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.  You can reach him at or (970) 324-1450

Jeffrey's first solo book project Oracle E-Business Suite Controls: Application Security Best Practices was released in 2009.  He published a second book called Auditing Oracle E-Business Suite: Common Issues in 2015.   He is working on an expansion of his first book which will be called Oracle E-Business Suite Controls: Foundational Principles and is working on an update for his second book.  Both are expected to be released in 2017.

He has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG.  Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.


No comments: