Field Service

Get Involved. Join the Conversation.

Topic

    Jeffry Husman
    Does OFSC support the Web Application Security?Answered
    Topic posted January 30, 2019 by Jeffry HusmanRed Ribbon: 250+ Points, tagged API / Integration, Configuration, Dispatch Functionally 
    60 Views, 4 Comments
    Title:
    Does OFSC support the Web Application Security?
    Summary:
    Does OFSC support the Web Application Security?
    Content:

    Hi OFSC gurus,

    I was wondering if any of you could provide me with some assistance/familiarity with the Web Application Security? I currently working on implementing the integration between OFSC and external systems involving more than one external systems. One of the questions from their Security guy is whether OFSC has the ability of Runtime Application Self-Protection (RASP) in place?

    Thanks, guys.

     

     

    Version:
    18D

    Best Comment

    Graham Sawell

    From personal experience I know the team pushes for OWASP Top 10 prevention as a minimum, standards like RASP are a nice theoretical defence but I expect that enterprise cyberdefence teams, especially in multi-tenancy configurations like OFSC, cannot afford to let self-protection (which is still in relative infancy) run amock, there are attack vectors for RASP that target its need to 'fix' anomalies, causing denial of service concerns. Web clients can (and regularly do) bring with them opportunistic malware, XSS compromised browsers, it becomes a bit of a mess. I imagine for this reason that Oracle preference their ability to respond quickly to anomalies using dedicated security professionals, and preference prevention as the key focus of their efforts.

    If the client is concerned about OFSC as a threat to their wider architecture then I would suggest using OFSC's integrations passively, with certificate-based communication, managed by middleware that communicates with OFSC over a locked down VPN. There's no possibility to extend the individual security on a per-customer basis in OFSC, but Oracle may have 'stamped' some form of RASP compliance that may keep these kind of queries from customers at bay.

    Just my 2 cents, as you asked

    Comment

     

    • Graham Sawell

      Hi Jeffry,

      Your best bet would be to get in touch with Oracle directly on any security matters as it's an ever-evolving battle.

      • Jeffry Husman

        Hi Graham,

        Thanks for responding. Yes, I will contact Oracle support, but I've thought to get some information, from other OFSC implementers, first.

         

         

        • Graham Sawell

          From personal experience I know the team pushes for OWASP Top 10 prevention as a minimum, standards like RASP are a nice theoretical defence but I expect that enterprise cyberdefence teams, especially in multi-tenancy configurations like OFSC, cannot afford to let self-protection (which is still in relative infancy) run amock, there are attack vectors for RASP that target its need to 'fix' anomalies, causing denial of service concerns. Web clients can (and regularly do) bring with them opportunistic malware, XSS compromised browsers, it becomes a bit of a mess. I imagine for this reason that Oracle preference their ability to respond quickly to anomalies using dedicated security professionals, and preference prevention as the key focus of their efforts.

          If the client is concerned about OFSC as a threat to their wider architecture then I would suggest using OFSC's integrations passively, with certificate-based communication, managed by middleware that communicates with OFSC over a locked down VPN. There's no possibility to extend the individual security on a per-customer basis in OFSC, but Oracle may have 'stamped' some form of RASP compliance that may keep these kind of queries from customers at bay.

          Just my 2 cents, as you asked

          • Jeffry Husman

            Your 2 cents is so appreciated it, Graham.

            Yes, the client is concerned about the overall Integration security, whereas OFSC is part of their architecture. It involves ServiceNow, OFSC, OIC (as the middleware) and SAP. The client security team is currently assessing all the security measures in place. As you have mentioned, the OFSC authentication will be certificate-based communication over the locked down VPN.

            Thanks for the information surrounding the OWASP Top 10 prevention that the OFSC team aware of.