Recent Posts by David B. Cross

For this posting, I have an additional contributing guest author Steve Enevold, who is a Senior Director in the Oracle SaaS Engineering organization. Oracle SaaS Engineering, responsible for providing information to customers and prospects about how Oracle services are securely managed, is excited to announce the availability of the CAIQ for Oracle Cloud Applications. This is the third and final CAIQ - we recently published CAIQ for Oracle Fusion Cloud Applications and CAIQ...

In performance-sensitive environments such as SaaS, security teams must find ways to scale the security services that impact application systems. The Internet Content Adaptation Protocol (ICAP) allows Oracle SaaS Cloud Security (SCS) to offload critical antivirus scanning and reputational services onto separate systems. Introduction to ICAPICAP is a lightweight protocol specified in RFC 3507 for HTTP services. It sends traffic over port 1334 and provides a means to redirect or...

Continuing this blog series on DevSecOps, I have a contributing guest author, Patrick McLaughlin. Patrick is a SaaS Security Architect in the Oracle SaaS Cloud Security engineering group and helps drive the transformation of DevSecOps in Oracle SaaS. What are the Top 20 Security Controls? The Center for Internet Security (CIS) is a non-profit organization best known for its top 20 controls. For IT security professionals, these controls represent best practices for implementing a...

For this posting, I have a contributing guest author Alida Wilms, who is a Senior Principal Technical Writer in the Oracle SaaS Cloud Security (SCS) organization. In general, when leaders complete competitive analysis and business intelligence, their conclusions and actions depend on the comprehensiveness and quality of the data that they collect. Similarly, when security professionals look at how to protect their organization’s data, the security controls that they put in...

For this posting, I would like to introduce my guest author Phil Waters, who is a Principal Security Engineer in the SaaS Cloud Security (SCS) organization. When it comes to measuring the security of an information system, scanning is incredibly practical. A previous blog post discussed static code scanning capabilities of SAST tools. This post will provide additional context around the types of security scanning that we do in the Oracle SaaS Cloud Security (SCS) team. Product...

Continuing with this blog-series on DevSecOps, I have a contributing guest author, Patrick McLaughlin. Patrick is a SaaS Security Architect in the Oracle SaaS Cloud Security engineering group and helps drive the transformation of DevSecOps in Oracle SaaS. In this post, he explains how Oracle uses the available criteria and standards in each phase of the development cycle to provide the best security for its customers. Framework Introduction The National Institute of Standards...

Many of us are familiar with Security, Incident, and Event Management (SIEM) systems, which detect and monitor security events and activities. In this blog post, we want to show you that SIEMs have evolved and can now do much more. Most companies and system providers deploy a SIEM to get alerts and report on security-specific incidents and events in their systems. They build and deploy specific security rules, signatures, and use cases based on their applications, platforms,...

This week, I have a contributing guest author, Patrick McLaughlin, who is a SaaS Security Architect as part of the Oracle SaaS Cloud Security engineering group, which is helping drive the transformation of DevSecOps. DevOps aims to bring software development and maintenance closer to IT operations. It is designed to deliver new software features, enhancements to existing features, and bug fixes faster than traditional methods and with the same quality. DevOps combines...

For this posting, I would like to introduce my joint guest author Yibin Liao, who is a software developer in the SaaS Cloud Security (SCS) organization. Our first posting “Oracle SaaS Cloud Security Goes Way Way Beyond the Bare Minimum”, raised a question: how do you ensure that an attacker cannot disable or corrupt your security detection framework? Very simply, it is all about comprehensive monitoring and validation! In cybersecurity infrastructure, you must have a validation...