Security Standards for Oracle E-Business Suite; the good, the bad the ugly
Over the last 10 years we have uncovered several issues with
this document. We have published our
findings from time to time and Oracle has acknowledged use of our feedback in
their documentation.
Recently we have identified four other issues that we’d like to address
that frankly has us questioning the quality and completeness of the document as
well as questioning the quality and completeness of the internal processes that
should be influencing this document.
I wrote an article documenting the pros and cons of this
document that I’d encourage you to download and read. The MOS Note presents various risks that
organizations need to be aware of and Oracle provides some recommendations
related to these risks. You can access
this article here.
Conclusion
I have identified several major issues with this MOS note. Why isn’t Oracle updating their documentation
when they release new forms that allow SQL injection? Could it be the problem is with their
development standards and peer review process?
Are they not identifying these risks as part of their development
process? If so, isn’t that a bigger
concern. Perhaps this is why they have
backed off making ‘best practice’ recommendations.
Why doesn’t Oracle see the ability to decrypt credit card
and bank account data as a security risk?
How is it these deficiencies exist in their documentation
(failure to identify that JTF_FM_QUERY is a view and that they aren’t
monitoring the ALR_ACTIONS table) and have gone
unnoticed for over three years from the release of this guidance in September
2011? The only logical conclusion
is they are not implementing and testing their own guidance.
Over the past few years, we have noted deficiencies in the
easiest of these recommendations – seeded application users and seeded database
users. We have also identified four new
functions which allow SQL injection that have not been updated in their
documentation. At one point, there were
five, but two of them have been since added to their documentation. We have published the three functions above.
My concern is that organizations relying on this guidance
have a false sense of ‘security’ if they follow this guidance. Following this ‘guidance’ is certainly
necessary at a minimum, but additional risks exist that Oracle isn’t adding to
their documentation. We’d love to see
Oracle increase its effectiveness which can only be done by taking a hard look
at their internal standards and setting a regular schedule for testing their
guidance and updating this documentation.
Compliance with this document is necessary, but with Oracle, sometimes
you need to fill in the blanks…
Recommended Services from ERP Risk Advisors
We offer assessment services that can evaluate your
organization’s compliance with part or all of the recommendations in this MOS
Note along with other high risks not considered by Oracle. This engagement can range from one to six
weeks.
Since some of these risks need to be evaluated by reviewing
access controls, a SaaS service to review role design may also be
appropriate. We perform that service
through our partner, CaoSys.
Contact us at erpra.net/contactus.html for more information about these services or
CaoSys GRC solutions if you are interested in learning more. We offer our Role / Responsibility analysis consulting
as a service (CS*Proviso) or via installed software (CS*Comply). See more about CaoSys GRC solutions at caosys.com.
About ERP Risk Advisors
ERP Risk Advisors is a leading provider of Risk Advisory
services for organizations using Oracle Applications. We provide consulting and training services
related to compliance, security, risk management, and controls. We also assist organizations in implementing
GRC-related software from industry-leading companies such as Oracle, CaoSys,
Smart ERP Solutions, and MentiSoftware.
About Jeffrey T. Hare, CPA CISA CIA
Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP
Risk Advisors. His extensive background
includes public accounting (including Big 4 experience), industry, and Oracle
Applications consulting experience.
Jeffrey has been working in the Oracle Applications space since 1998
with implementation, upgrade, and support experience. Jeffrey is a Certified Public Accountant
(CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal
Auditor (CIA). Jeffrey has worked in
various countries including Austria, Australia, Brazil, Canada, Germany,
Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United
Kingdom. Jeffrey is a graduate of
Arizona State University and lives in northern Colorado with his wife and three
daughters. You can reach him at
jhare@erpra.net or (970) 324-1450
Jeffrey's first solo book project Oracle E-Business Suite Controls: Application Security Best Practices was released in 2009. He published a second book called Auditing Oracle E-Business Suite: Common Issues in 2015. He is working on an expansion of his first book which will be called Oracle E-Business Suite Controls: Foundational Principles and is working on an update for his second book. Both are expected to be released in 2017.
He has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG. Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.
He has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG. Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.
LinkedIn: linkedin.com/in/jeffreythare
Twitter: twitter.com/jeffreythare
Blog: jeffreythare.blogspot.com
