For this post, we’re pleased to introduce contributing guest author, Robbie Rader, senior director for Offensive Security Operations in the SaaS Cloud Security (SCS) organization.
As customers continue to adopt their cloud strategies and evaluate their cloud service providers, they might ask about the timing and process of penetration testing in the Oracle software-as-a-service (SaaS) cloud. This question is one of many addressed with detailed answers, documentations, and links in the Oracle Fusion Applications Consensus Assessment Initiative Questionnaire (CAIQ). In this blog post, we dive into the topic of penetration testing, a subject of great interest within the community, particularly in the context of Oracle Cloud Applications.
Penetration testing is a form of security assessment used to identify potential vulnerabilities in an application, network, or infrastructure by simulating cyberattacks against the targeted or in scope systems. This testing provides an organization with valuable insights into the strengths and weaknesses of the in-scope system. This testing should be performed regularly to help ensure the effectiveness of the program because the vulnerability landscape is continuously evolving.
Penetration testing comes in various forms, such as black box (simulating external hackers), gray box (with limited information provided), and white box (focused on insider threats), but in all cases, the organization is informed before the tests begin. These tests are typically noisy and can trigger alarms for your defensive security teams if not properly communicated. Penetration tests usually operate within a specific testing window defined for the exercise. Unlike traditional penetration tests, red team testing campaigns are stealthy in nature and can last several months or even quarters, as we have discussed in a previous blog post.
Two aspects of penetration testing that require explanation. Let’s explain the following types of penetration testing:
The second pivot worth explaining is when a penetration test should be performed internally versus externally by a third party. Consider the following options:
Some of the various audit frameworks that require penetration tests and reporting of results are quite common and demanded in the Oracle Fusion application environment. Several audit frameworks commonly mandated in the Oracle Fusion application environment require penetration testing along with the reporting of results, including the following examples:
Many different methodologies and approaches to penetration testing exist, and the SCS organization uses the OWASP Top 10 and SANS top 25 frameworks in our internal testing procedures.
Assessment methodology
The penetration testing methodology that the SCS organization uses is designed to simulate a malicious attack by a competent, motivated individual and is not strictly a check-list assessment approach. Oracle SaaS penetration testers employ the same techniques and tools as malicious hackers and have the same access to information about the target environment. The Oracle SaaS view of the system is external and reflects the attacker's point of view. The methodology is based on industry standards and best practices, such as the Open Source Security Testing Methodology Manual from ISECOM, NIST SP 800-115, and OWASP Web Security Testing Guide, and is continuously adapted to any changes in the perceived threat model.
When performing security assessments and penetration tests, Oracle SaaS security generally conducts the following assessment phases:
Information gathered in earlier phases determine the actions and tools employed in later phases. For less familiar or uncommon environment technology stacks, more research can be conducted during the “Review and identification of false positives” phase to identify relevant testing techniques and tools available in the public domain.
Oracle’s strategic priority in handling vulnerabilities is to remediate identified issues based on their severity and the risk they pose within the context of the specific application or service. The CVSS Base Score is one of the key criteria used to assess the relative severity of vulnerabilities. All identified vulnerabilities are tracked in a defect tracking system, and each fix undergoes thorough testing to prevent issues in production before each major release of an application. Oracle performs security testing and uses formal security criteria before bringing any new release into production.
Penetration testing in the production environment is performed at least annually by a trusted third-party company, and summary reports are available upon request for existing SaaS customers. At Oracle, this testing is done throughout our development and production lifecycles and includes static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA), among other types of scanning and analysis activities, as we have shared in the blog post, Remaining Vigilant: Security Scanning Throughout the Oracle SaaS Application Lifecycle.
We know that transparency is crucial in developing strong partnerships with our customers. So, each penetration testing report also provides an Oracle response containing Oracle’s position for each finding discovered, the Common Vulnerability Scoring System (CVSS) score, and the target timeline to remediate each finding. We also frequently rotate the external third-party penetration test providers to ensure the widest and most diverse experience coverage against the Oracle SaaS applications.
Penetration testing in a production environment is performed at least annually by a trusted third-party company, and summary reports are available upon request for existing SaaS customers. You can contact your Oracle customer success or account manager for the latest security assessment report.
Oracle SaaS doesn’t permit customers to contract or perform independent testing of SaaS cloud services because our services are complex multitenant infrastructure deployments and independent testing can result in potential unintended impacts unless approval is received. For more information, see the Security testing frequently asked questions.
In Oracle SaaS Cloud, penetration testing and vulnerability management are integral parts of our broader DevSecOps model. To be most effective, these processes require the collaboration of both highly skilled security personnel and automation working together. Within Oracle SaaS, the SCS organization uses and effectively incorporates penetration testing results, insights, and analysis across multiple development security operations programs to maximize customer benefits and protections. We hope that these reports provide you with the confidence and assurance you need to adopt the right solution for their application and data needs.
David is the Senior Vice President for the Oracle SaaS Cloud Security engineering and operations organization. Previously, David was the public Cloud Security Engineering Director in the Google Security and Privacy organization and his preceding 18 years were spent with Microsoft in numerous security cloud, product and engineering leadership roles. David holds a B.S. in Computer Information Systems as well as an MBA with a Management Information Systems concentration and is a longtime advocate of security application and technology stemming back to his US military service.
Previous Post
Next Post