For partners that build or integrate commercially available applications and service solutions with the Oracle Cloud Platform
For partners that provide implementation or managed services around Oracle Cloud Applications
Hi OFSC gurus,
I was wondering if any of you could provide me with some assistance/familiarity with the Web Application Security? I currently working on implementing the integration between OFSC and external systems involving more than one external systems. One of the questions from their Security guy is whether OFSC has the ability of Runtime Application Self-Protection (RASP) in place?
Thanks, guys.
Hi Jeffry,
Your best bet would be to get in touch with Oracle directly on any security matters as it's an ever-evolving battle.
Hi Graham,
Thanks for responding. Yes, I will contact Oracle support, but I've thought to get some information, from other OFSC implementers, first.
From personal experience I know the team pushes for OWASP Top 10 prevention as a minimum, standards like RASP are a nice theoretical defence but I expect that enterprise cyberdefence teams, especially in multi-tenancy configurations like OFSC, cannot afford to let self-protection (which is still in relative infancy) run amock, there are attack vectors for RASP that target its need to 'fix' anomalies, causing denial of service concerns. Web clients can (and regularly do) bring with them opportunistic malware, XSS compromised browsers, it becomes a bit of a mess. I imagine for this reason that Oracle preference their ability to respond quickly to anomalies using dedicated security professionals, and preference prevention as the key focus of their efforts.
If the client is concerned about OFSC as a threat to their wider architecture then I would suggest using OFSC's integrations passively, with certificate-based communication, managed by middleware that communicates with OFSC over a locked down VPN. There's no possibility to extend the individual security on a per-customer basis in OFSC, but Oracle may have 'stamped' some form of RASP compliance that may keep these kind of queries from customers at bay.
Just my 2 cents, as you asked
Your 2 cents is so appreciated it, Graham.
Yes, the client is concerned about the overall Integration security, whereas OFSC is part of their architecture. It involves ServiceNow, OFSC, OIC (as the middleware) and SAP. The client security team is currently assessing all the security measures in place. As you have mentioned, the OFSC authentication will be certificate-based communication over the locked down VPN.
Thanks for the information surrounding the OWASP Top 10 prevention that the OFSC team aware of.
From personal experience I know the team pushes for OWASP Top 10 prevention as a minimum, standards like RASP are a nice theoretical defence but I expect that enterprise cyberdefence teams, especially in multi-tenancy configurations like OFSC, cannot afford to let self-protection (which is still in relative infancy) run amock, there are attack vectors for RASP that target its need to 'fix' anomalies, causing denial of service concerns. Web clients can (and regularly do) bring with them opportunistic malware, XSS compromised browsers, it becomes a bit of a mess. I imagine for this reason that Oracle preference their ability to respond quickly to anomalies using dedicated security professionals, and preference prevention as the key focus of their efforts.
If the client is concerned about OFSC as a threat to their wider architecture then I would suggest using OFSC's integrations passively, with certificate-based communication, managed by middleware that communicates with OFSC over a locked down VPN. There's no possibility to extend the individual security on a per-customer basis in OFSC, but Oracle may have 'stamped' some form of RASP compliance that may keep these kind of queries from customers at bay.
Just my 2 cents, as you asked