Cloud Security Perspectives and Insights

Blog post to announce the global availability of Oracle Data Safe.

Blog post to announce the global availability of Oracle Data Safe.

As a senior security executive, building your security program within your budget while doing your best to mitigate the risks your organization faces is very much like assembling a very difficult puzzle. The nearly 5,000 security vendors offering more than 10,000 security products, along with the major cloud providers releasing more and more security services to strengthen the security of their solutions, makes assembling your own security puzzle a daunting task.

As a senior security executive, building your security program within your budget while doing your best to mitigate the risks your organization faces is very much like assembling a very...

Delving into all things security with Greg Jensen. Looking into the real risks of employees working with critical business data away from the secure confines of the business. What is the people, process and technology enablement of today vs just a few months ago that makes this happen?

Delving into all things security with Greg Jensen. Looking into the real risks of employees working with critical business data away from the secure confines of the business. What is the...

Oracle Cloud Infrastructure Vault lets you centrally manage and control use of keys and secrets across a wide range of OCI services and applications. We’re excited to announce the general availability of Software Protected Keys in OCI Vault service.

Oracle Cloud Infrastructure Vault lets you centrally manage and control use of keys and secrets across a wide range of OCI services and applications. We’re excited to announce the general availability...

In this blog, we will describe threat intelligence, its uses during the DevSecOps cycle, and how SaaS Cloud Security applies the threat intelligence lifecycle in its operations. Threat intelligence is information that a security team can use to take action against a threat. Good TI provides context so that a team can accurately protect against an identified threat.

In this blog, we will describe threat intelligence, its uses during the DevSecOps cycle, and how SaaS Cloud Security applies the threat intelligence lifecycle in its operations. Threat intelligence...

As many organizations change the way they interact with their customers, this government agency needed to move more transactions online and improve customer experience.

As many organizations change the way they interact with their customers, this government agency needed to move more transactions online and improve customer experience.

When it comes to measuring the security of an information system, scanning is incredibly practical. A previous blog post discussed static code scanning capabilities of SAST tools. This post will provide additional context around the types of security scanning that we do in the Oracle SaaS Cloud Security (SCS) team.

When it comes to measuring the security of an information system, scanning is incredibly practical. A previous blog post discussed static code scanning capabilities of SAST tools. This post...

In my latest quick tip, I am going to show you how to use Oracle Cloud Infrastructure(OCI) native notifications and events services to send alerts from Oracle Cloud Guard.

In my latest quick tip, I am going to show you how to use Oracle Cloud Infrastructure(OCI) native notifications and events services to send alerts from Oracle Cloud Guard.

Oracle Maximum Security Zones and Oracle Cloud Guard now available on Oracle Cloud Infrastructure. They work hand in hand to provide both preventative and detective security controls for your cloud environment. Maximum Security Zones is the preventative control, designed to stop you from making bad implementation choices that would weaken your security posture.

Oracle Maximum Security Zones and Oracle Cloud Guard now available on Oracle Cloud Infrastructure. They work hand in hand to provide both preventative and detective security controls for your...

Read this blog post to learn more about Oracle Cloud Guard, why it was released, and how it works.

Read this blog post to learn more about Oracle Cloud Guard, why it was released, and how it works.

The Oracle Cloud Infrastructure team is excited to announce two new capabilities: Oracle Maximum Security Zones and Oracle Security Advisors, now available to adopt on Oracle Cloud Infrastructure.

The Oracle Cloud Infrastructure team is excited to announce two new capabilities: Oracle Maximum Security Zones and Oracle Security Advisors, now available to adopt on Oracle Cloud Infrastructure.

Cloud security administrators have a difficult time balancing security in the cloud and maintaining business continuity. Oracle Cloud Infrastructure (OCI) Cloud Guard is a cloud-native detect-and-respond solution that detects misconfigured resources and insecure activities at scale.

Cloud security administrators have a difficult time balancing security in the cloud and maintaining business continuity. Oracle Cloud Infrastructure (OCI) Cloud Guard is a...

What does resiliency mean for enterprise technology? Read this post to hear more about how cloud computing can help your organization become more resilient.

What does resiliency mean for enterprise technology? Read this post to hear more about how cloud computing can help your organization become more resilient.

We recently released the latest version of Oracle Audit Vault and Database Firewall (AVDF).To help customers quickly adopt AVDF 20, we are running an Early Adopter Program (EAP).

We recently released the latest version of Oracle Audit Vault and Database Firewall (AVDF).To help customers quickly adopt AVDF 20, we are running an Early Adopter Program (EAP).

In quick tip #3, I want to explore another common topic I get questions about frequently, pricing.Specifically, how is Oracle Identity Cloud Service licensed?

In quick tip #3, I want to explore another common topic I get questions about frequently, pricing.Specifically, how is Oracle Identity Cloud Service licensed?

Organizations are continuing to evolve their security strategies around the realization that the user is the new perimeter. Today, organizations are embracing and implementing an identity-centric security model to manage risk and mitigate threats to the enterprise. 

Organizations are continuing to evolve their security strategies around the realization that the user is the new perimeter. Today, organizations are embracing and implementing an...

As we continue to the second post in the Quick Tip series, I will show you how to create multiple instances of Oracle Identity Cloud Service within your Oracle Cloud account.

As we continue to the second post in the Quick Tip series, I will show you how to create multiple instances of Oracle Identity Cloud Service within your Oracle Cloud account.

Oracle Data Safe now supports on-premises databases. In this blog post, I will explain how you can connect and register your on-premises database in Data Safe.

Oracle Data Safe now supports on-premises databases. In this blog post, I will explain how you can connect and register your on-premises database in Data Safe.

Organizations around the world are facing unprecedented security challenges, such as the necessity to rapidly simplify security operations while enabling employees to adopt a home office work model. A modern, secure architecture provides the reassurance that users can remotely access enterprise applications whilst mitigating against the malicious attacks which are prevalent in internet-facing applications.

Organizations around the world are facing unprecedented security challenges, such as the necessity to rapidly simplify security operations while enabling employees to adopt a home office work model. A...

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been under development since 2014 and its aim is to improve cybersecurity for critical infrastructure. Read this blog to learn how Oracle SaaS Cloud Security uses this framework.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has been under development since 2014 and its aim is to improve cybersecurity for critical infrastructure. Read...

What does fraud look like and how are organizations addressing it and examining risk within their organization? The Oracle and KPMG Cloud Threat Report series tackles these issues in the report “Addressing Cyber Risk and Fraud in the Cloud”.

What does fraud look like and how are organizations addressing it and examining risk within their organization? The Oracle and KPMG Cloud Threat Report series tackles these issues in the...

Oracle Data Safe simplifies database security with a unified cloud service that can assess user risks and security configurations, collect and secure audit data, and find sensitive data. Interested in learning more? Data Safe is now available for both cloud and on-premises databases.

Oracle Data Safe simplifies database security with a unified cloud service that can assess user risks and security configurations, collect and secure audit data, and find sensitive data. Interested in...

One of the primary value propositions for cloud is that it makes life easier by transferring some of the cost and complexity to the cloud vendor. But that doesn’t always hold up for security professionals. In a new research paper, Dao Research compares the cloud security capabilities offered by Amazon AWS, Google Cloud Platform, Microsoft Azure, and Oracle Cloud Infrastructure (OCI).

One of the primary value propositions for cloud is that it makes life easier by transferring some of the cost and complexity to the cloud vendor. But that doesn’t always hold up for...

It is very important to be proactive when managing user privileges. The principle of least privilege has been around since the dawn of the internet age – it’s simple in theory, but devilishly difficult in practice. This is where Oracle Database 19c Privilege Analysis comes into play.

It is very important to be proactive when managing user privileges. The principle of least privilege has been around since the dawn of the internet age – it’s simple in theory, but devilishly...

When migrating to the cloud, it’s critical to enable enterprise-level threat protection for your applications and their associated data. That’s why Oracle has partnered with Fortinet to provide best-of-breed security solutions that deploy natively within Oracle Cloud Infrastructure.

When migrating to the cloud, it’s critical to enable enterprise-level threat protection for your applications and their associated data. That’s why Oracle has partnered with Fortinet to provide...

Today’s security challenges call for a proactive ecosystem approach featuring automation, such as Oracle Autonomous Database and Autonomous Linux.

Today’s security challenges call for a proactive ecosystem approach featuring automation, such as Oracle Autonomous Database and Autonomous Linux.

When you move infrastructure to the cloud, data security expands from protecting data in your data center to protecting all the paths to the cloud. Integrated security using automation helps meet the challenge.

When you move infrastructure to the cloud, data security expands from protecting data in your data center to protecting all the paths to the cloud. Integrated security using automation helps meet the...

1. Introduction Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) is an Oracle Cloud Service that protects your web applications against threats. Logs are available within the WAF Service. In this blog, we’re going to leverage those logs in order to build a comprehensive dashboard with Oracle Management Cloud (OMC) and get insights on what’s happening in the Web Application from a security perspective. The final result of this blog will be the dashboard shown below, including tabs for Activity Overview, Top 10 OWASP Threats, and detected events from several sources.  An exported version of this dashboard will be available at the end of this blog for you to import into your own OMC environment.   In this article, we will see how to forward WAF Logs to an OCI Object Storage Bucket, configure an OCI Event Service to trigger an OCI Serverless Function, utilize REST APIs to generate OAuth tokens to upload the logs into OMC Log Analytics, and finally import the above mentioned dashboard.. As a prerequisite, you should be familiar with OMC, IDCS, OCI and rest APIs. You will need an Oracle cloud account already provisioned with a specific compartment. If you don't already have an account, you can sign up for Oracle Cloud's Free Tier. Let’s proceed with my component called omcwaf_compartment, a WAF policy configured in that compartment, an OMC tenant, an OCI Object Storage created in the compartment and an IDCS account. You will need to make sure that you have admin access to all the accounts. Before starting, let’s prepare all the needed details from OCI, OMC, IDCS, WAF policy and OCI Object Storage.  You may find it useful to put the collected details along with their step number into a text editor for easy reference in later steps. All the needed resources to complete this integration are available for download. 2. COLLECT INFORMATION 2.1 From OCI 2.1.1. Go to Administration > Tenancy details and copy the tenancy OCID  2.1.2.  In Administration > Tenancy, pick the Region Name. Go to Administration > Region Management save the corresponding Region Identifier 2.1.3. In Administration > Identity > Users, create a new user for the integration between the WAF Log and the OCI Bucket. Add the API Public Key and copy the Fingerprint.  2.1.4. Copy the OCID 2.1.5. Click on Customer Secret Keys, and generate a new secret key. Save the secret key in a safe place 2.1.6. Copy the Access Key 2.1.7. In Administration > Identity > Groups, create a new group and add the user previously created on this group. Copy the group OCID 2.1.8. Copy the group name.   2.2 From OMC 2.2.1. Go to Administration > Agents, click on the navigation button on the right then select Download Agents.  Select  Gateway as the Agent Type, then copy TENANT_NAME from the bottom of the page 2.2.2. Copy the OMC URL from the browser URL bar ending with oraclecloud.com  2.3. From IDCS From OCI, Go to Identity > Federation , click on OracleIdentityCloudService. Copy the IDCS Console URL.  If you are not federating IDCS identity for OCI, you can obtain your IDCS Console URL when you log out of OMC.  It should have the format of https://idcs-<guid>.identity.oraclecloud.com 2.4. From IDCS 2.4.1. Go to Security > WAF Policies the click on the policy already created. Copy the Policy OCID. 2.4.2. Copy the CNAME Target  2.4.3. Copy the domain name of the target application  2.5. From Object Storage 2.5.1. Go to Object Storage and click on the Bucket you already created.  Copy the OCID 2.5.2. Copy the Bucket name 2.5.3. Copy the namespace 2.5.4. Click on the compartment and copy the compartment OCID 2.5.5. Copy the compartment name   3. FORWARD WAF LOG TO OCI BUCKET In order to forward WAF Logs to your OCI Bucket your created previously, you should create an SR with Oracle Support.  3.1. Set IAM Policy The user created in step 2.1.3 must have write permission on the bucket.  To do so, we need to grant privileges on the group that contain this user. 3.1.1. Go to Administration > Identity > Policy and create the below policy statement:  allow group <group_name_step_2.1.8> to manage object-family in compartment <compartment_name_step_2.5.5> 3.1.2. Copy the policy OCID 3.2. Raise a SR with Oracle Support Once the policy is set, raise an SR on your Oracle WAF Portal support and provide the following information: •    Domain name of the application (step 2.4.3), and additional domain name if applicable.  •    Access Key (step 2.1.6)  •    Secret Key (step 2.1.5) •    WAF Policy OCID (step 2.4.1) •    Bucket Name (step 2.5.2) •    Bucket OCID (step 2.5.1) •    Namespace (step 2.5.3) •    Tenancy OCID (step 2.1.1) •    Compartment OCID (step 2.5.4) •    Policy OCID (step: 3.1.2) •    Region identifier (step 2.1.2) •    Bucket Region. •    Upload Prefix: "%{+YYYY}/%{+MM}/%{+dd}/%{[log_type]}" The implementation should take a few days before seeing the logs on your OCI Bucket. Once completed, you should see logs arriving from WAF to your OCI Bucket: 4. SET UP OAUTH FOR OMC Here, we are going to create a client application, that uses a token to connect into OMC. This saves you from providing your username and password to authenticate the function. By granting the OMC Admin role to the client application, the application will be able to upload logs to OMC LA. 4.1. Obtain OMC Access Token Connect to IDCS and search to OMCEXTERNAL_<your_OMC_tenant> application and click on it. Click on generate access token, a generate Token popup should open. Select Customized Scope and Invoke IDCS APIs Download the token. This token will be used in the next steps.   4.2. Create an application for OAuth 4.2.1. Create a JSON file named newClientApp.json with the following content. The name, displayName field can be customized, but note that the name must end with _APPID Replace <OMC_URL> by the one in step 2.2.2. {   "name": "APPOMC_SERVICEAPI_APPID",   "displayName": "APPOMC_SERVICEAPI",   "description": "Test client for serviceapi",   "isAliasApp": false,   "active": true,   "isOAuthClient": true,   "clientType": "confidential",   "allowedGrants": [     "client_credentials"   ],   "allowedScopes": [     {       "fqs": "https://<OMC_URL>/serviceapi/"     }   ],   "isOAuthResource": true,   "accessTokenExpiry": 86400,   "audience": "https://<OMC_URL>",   "scopes": [     {       "value": "/serviceapi/"     }   ],   "basedOnTemplate": {     "value": "OPCAppTemplateId"   },   "serviceTypeVersion": "1.0",   "serviceTypeURN": "OMCEXTERNAL",   "schemas": [     "urn:ietf:params:scim:schemas:oracle:idcs:App"   ] } 4.2.2. Run the following command to create the application: Curl -X POST https://<IDCS_DOMAIN>/admin/v1/Apps -H ‘Content-Type: application/json’ -H “Authorization: Bearer <OAuth_Access_Token>” -d “@newClientApp.json” <OAuth Access Token> is the format token value below you saved in the file of the Step 4.1: {"app_access_token":"<OAuth Access Token>”} Replace <IDCS DOMAIN> by the domain got on the step: 2.3. Domain should be like: https://idcs-xxxxxxxxxxxxxxxxxxx.identity.oraclecloud.com From the response, save the <client secret>, the <id> and the <name>, we will use them later. 4.3. Grant OMC Admin Role to Client App On IDCS, click on Application, then your OMCEXTERNAL_<your_OMC_instance> instance Click on Application Roles and assign the Application previously created to OMC Administrator 5. SET UP FUNCTION ENVIRONMENT 5.1. Prerequisites Group and user we are going to use can be the same as the one created in step 2.1.3 5.1.1. Create a VCN and a subnet on your compartment. The VCN must egress via either NAT Gateway, Internet Gateway of Service 5.1.2. Create a policy in the root compartment with the following statements: Allow service FAAS to use virtual-network-family in tenancy Allow service FaaS to read repos in tenancy 5.1.3. As the user created in step 2.1.3 is not a tenancy administrator, so add the following statement: Allow group <group-name> to manage repos in tenancy Allow group <group-name> to read metrics in tenancy Allow group <group-name> to read objectstorage-namespaces in tenancy Allow group <group-name> to use virtual-network-family in tenancy Allow group <group-name> to manage functions-family in tenancy Allow group <group-name> to use cloud-shell in tenancy Replace the <group-name> by the one on step 2.1.8 Note: If necessary, you can restrict these policy statements by compartment 5.2. Create a function 5.2.1. On OCI Console, go to Developer Services and click on Functions 5.2.2. Select your compartment, then click on “Create Application”, let’s name it load-waf-logs-app. Select the VCN and the subnet previously created on the prerequisite part then click on save. 5.2.3. Once the Application is created, click on it and follow the Getting Started steps on the left side of the page using the Cloud Shell Setup: 1.    Launch Cloud Shell 2.    Set up fn CLI on Cloud Shell  3.    Update the context with the function’s compartment 4.    Update the context with the location of the Registry you want to use.  5.    Already generated in obtain OAuth OMC token 6.    Log to the registry. Note: use the user created previously, and the OAuth token.  7.    Verify your setup Stop the Getting Started steps here, and continue with the following instruction: 5.2.4. Create a loadlogs python function by entering:  fn init --runtime python loadlogs        A directory called loadlogs is created with 3 files: func.py, func.yaml, requirements.txt  5.2.5. Edit the file requirements.txt to contain these three lines: fdk requests oci 5.2.6. Edit the file func.py and replace it with the ODU python code available on the resources. 5.2.7. Deploy the function by running: fn -v deploy --app load-waf-logs-app 5.3. Create function parameters Click on the application load-waf-logs-app, click on Configuration on the left menu then add the following parameters: •    apiuser: is the application name chosen in the step 4.2 ending in _APPID •    apipwd: is the Application client secret saved at the end of the step 4.2  •    idcsurl: is the IDCS domain URL used at the end of the step 4.2  •    input_bucket: is the bucket name from the step 2.5.2 •    logSourceName: must by WAF_LOGS since it’s the logSourceName used on the exported resources of this blog •    omcurl: is the OMC URL from the browser URL bar in step 2.2.2 •    uploadName: use it to help isolate initial test uploads within Log Analytics but leave the parameter with an empty value or remove it when going to production Note: idcsurl and omcurl values should NOT include a trailing "/"   5.4. Create a Dynamic group for the Function In order to use other OCI Services, the function must be part of a dynamic group. To do so, from OCI console, go to Identity > Dynamic Group and create a new dynamic group fn_oci for example. On the matching rules, add the following statement by using the correct compartment OCID from step 2.5.4: ALL {resource.type = 'fnfunc', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaxxxxx'} 6. SET UP EVENT RULE 6.1.  Bucket Storage configuration 6.1.1. Go to your Object Storage bucket where WAF Logs are stored, and enable Emit Object Events options: 6.2. Create IAM Policy The dynamic group previously created need to manage objects within your tenancy  To do so, go to identity > Policies and add the following statement: allow dynamic-group <name_choosen_in_step_5.4> to manage objects in tenancy Note: If necessary, you can restrict these policy statements by compartment. 6.3. Create an event rule From your OCI console menu, go to Application Integration then Events Service. Created a new rule as following: Event Matching: Event types Service Name: Object Storage Event Type: Object – Create Attributes: bucketName: bucket name from the step 2.5.2   Actions: -    Function application need to be called.    7. CONFIGURE OMC  7.1. Import Log Parsers   Download the Log Parsers export from the resources. Each Parser is a .zip file which contains the content.xml From OMC menu, go to Log Analytics then click on Administration home.  Click on the gear icon on the top right corner then click on import configuration content. Select your parsers. 7.2. Import Log sources  Download the Log Source export from the resources. and select the .zip file which contains the content.xml  From OMC menu, go to Log Analytics then click on Administration home.  Click on the gear icon on the top right corner then click on import configuration content. Select the .zip file. 7.3. Import dashboard Download the Dashboard json export from the resources. Launch the following curl command to import the dashboard into your OMC instance: curl -X PUT https://xxxx.omc.ocp.oraclecloud.com//serviceapi/dashboards.service/import -H 'cache-control: no-cache' -H 'Content-type: application/json' -u 'omc_username' --data @/path/to/exported/dashboard.json -o /tmp/import_output Use your OMC credentials. 8. RESOURCES Python function Log Source Parser 1  Parser 2 WAF Dashboard   9. FINAL RESULT The configuration is now completed. New log files arriving on the Object Storage Bucket will be uploaded to OMC under WAF_LOGS log source and start populating   OCI WAF dashboard as below:  A Global Overview summarizing the global access requests Map, by Country, by URL, by Application by Code Error, by Code Error by Time. it gives also insight on Security Rules triggered, by IP Address and by Time.    A second tab giving more insights on the OWASP Top 10 threats:  A third tab with details on all Threat Intelligence Feeds detection Another tab giving all details about detections based on Access Rules   Finally, a tab with details on all threats detected and blocked by the Javascript Challenge feature I hope you found this blog helpful. Here are a couple of next steps to help you get started:  If you don't have an Oracle Cloud Infrastructure account, try our Free Tier. To try the dashboard, download the json export from the resources.

1. Introduction Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) is an Oracle Cloud Service that protects your web applications against threats. Logs are available within the...

In the first part of the remote workforce blog series, we described high-level architecture and covered detail around Identity Cloud Services, which is the solution's key component. In this entry, we will look into the more detailed architecture and other elements.

In the first part of the remote workforce blog series, we described high-level architecture and covered detail around Identity Cloud Services, which is the solution's key component. In this entry,...

So, you’ve just signed up to a shiny new cloud provider. It’s exciting when you realise that you not only have an almost unlimited supply of IaaS at your fingertips, however, before you get carried away spinning up compute and uploading your files into storage, you need to realise that you have a shared responsibility for security. In this blog, we will examine some use cases that we need to address with CSPM and then we’ll discuss how Oracle can help you to meet your security responsibilities in this area.

So, you’ve just signed up to a shiny new cloud provider. It’s exciting when you realise that you not only have an almost unlimited supply of IaaS at your fingertips, however, before you get carried...

We are thrilled to announce that the fully revamped and refreshed Oracle Audit Vault and Database Firewall 20 is now available to help you meet auditing and monitoring requirements for your databases whether they are on-premises or on the cloud.

We are thrilled to announce that the fully revamped and refreshed Oracle Audit Vault and Database Firewall 20 is now available to help you meet auditing and monitoring requirements for your databases...

We hope you enjoy this quick tip blog on accessing your Identity Cloud Service friendly URL.

We hope you enjoy this quick tip blog on accessing your Identity Cloud Service friendly URL.

Companies continue to transition to the cloud and add to their list of cloud providers at an amazing rate. But amidst all the excitement, there’s one thing that keeps getting lost in shuffle—the cloud security shared responsibility model.

Companies continue to transition to the cloud and add to their list of cloud providers at an amazing rate. But amidst all the excitement, there’s one thing that keeps getting lost in shuffle—the cloud...

Enabling safe access for remote workforce. Work from home. Strong authentication. Risk reduction.

Enabling safe access for remote workforce. Work from home. Strong authentication. Risk reduction.

Many of us are familiar with Security, Incident, and Event Management (SIEM) systems, which detect and monitor security events and activities. In this blog post, we want to show you that SIEMs have evolved and can now do much more.

Many of us are familiar with Security, Incident, and Event Management (SIEM) systems, which detect and monitor security events and activities. In this blog post, we want to show you that SIEMs have...

Oracle Enterprise Identity and Access Management Suite offers organizations a complete, integrated, next-generation identity management platform. However, organizations often experience challenges around maintaining their IAM solutions, that's where Oracle Partners like Simeio come in, providing customers with expertise and solutions that can help support success in IAM.

Oracle Enterprise Identity and Access Management Suite offers organizations a complete, integrated, next-generation identity management platform. However, organizations often experience challenges...

  For this posting, I would like to introduce my joint guest author Naveen Gupta, who is a Principal Security Engineer in the SaaS Cloud Security (SCS) organization.   Oracle has a long-standing, secure development product lifecycle that is a core component of the Oracle Software Security Assurance (OSSA) program. OSSA is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products, whether they are used on-premises by customers, or delivered through Oracle Cloud. One of the requirements of the OSSA program is to evaluate Oracle functionality throughout the product lifecycle using static analysis tools. As mentioned in this Oracle blog, the Oracle SaaS Cloud Security (SCS) organization completes security testing during the DevSecOps cycle for SaaS applications such as Oracle Fusion Cloud. Static application security testing (SAST) is a white-box method of testing. SAST examines the source code to find software flaws and weaknesses that can lead to security risks. These risks are defined by various governing bodies and standards like OWASP, CWE, NIST, SANS, and PCI. DevSecOps aims to embed security into every part of the development, delivery, and operations processes. As most security vulnerabilities get introduced at the time of the coding, it is essential to identify and fix them at the earliest possible stage of the development cycle. The SCS team completes static analysis during the coding stage. We use SAST tools to analyze the source code of the application and bytecode without executing the application. Benefits of Using SAST Tools in SaaS When it comes to SaaS, secure coding is non-negotiable. Cloud service providers simply cannot afford to implement insecure applications and software systems. In a typical SaaS environment, the software development lifecycle (SDLC) works with the traditional CI/CD (Continuous Integration/ Continuous Deployment) DevOps model. There are multiple advantages that SAST brings to the SDLC for Oracle SaaS applications. Some of these are: (a) SAST tooling examines code in detail in the repository, thereby reducing the time and personnel required to identify potential security defects. Automated SAST tools are faster and can examine code more frequently, which is the very essence of a CI process. (b) Conventional threat modelling cannot anticipate every possible technique that attackers can use  to exploit the vulnerabilities that can exist in software. These vulnerabilities exist because even smart developers can make coding errors that cause vulnerabilities in an application. The use of SAST tools during software development therefore acts as a reliable defense against common application threats and coding errors. (c) SAST tools are integrated into the SDLC for Oracle SaaS. SAST helps to reduce the security risk in the application by enforcing checks at different phases. For example: (d) During the development phase, the applications developers incorporate SAST into their development tooling (with integrated development environment (IDE) plugins) and workflow. (e) At the build phase of the DevSecOps model, SAST tools are integrated into the software engineering system during CI/CD execution. (f) Before deployment, security teams use SAST tools to scan applications for security vulnerabilities. (g) In addition, some SAST tools can integrate with source repositories and automatically report vulnerabilities to defect tracking systems. (1) SAST tools are executed early in the SDLC, minimizing the risk of critical or high vulnerabilities getting into a deployed SaaS application. (2) SAST results are considered as evidence artifacts for SaaS applications that must comply with industry security audits like the Federal Risk and Authorization Management Program (FedRAMP) or Payment Card Industry Data Security Standard (PCI DSS). Types of Vulnerabilities Found with SAST Security vulnerabilities that we identify during the phases of the DevSecOps model often fall into the following types: - Input validation and representation - Application Programming Interface (API) abuse -  Authentication - Authorization - Security features - Errors - Code quality - Encapsulation - Auditing and logging   Figure 1: SAST occurs during the (Plan, Code, Build, Test) phases of the DevSecOps cycle SAST tools work directly on the source code, using an inside-out approach to perform security testing. SCS analyzes the results from the scan reports for multiple vulnerabilities to identify security issues. We use in-memory graphs to identify any untrusted data entry points (sources) and the point where the vulnerability (sink) manifests during code execution. What do SAST tools find? During SAST, we analyze for these vulnerabilities: (a) Buffer overflow vulnerabilities that involve writing or reading more data than a buffer can hold (b) Mistakes, weaknesses, and policy violations in application deployment configuration files like web xml (c) Security violations by checking on dynamic HTML content that includes Java Server Pages (jspx), Javascript (js), Java Server Faces (jsff) files, etc. (d) Time-of-check to time-of-use (TOCTOU) issues that can result in potentially dangerous sequences of operations (e) Vulnerabilities that involve tainted data (user-controlled input) put to potentially dangerous use; for example, issues like injection or cross-site scripting (XSS) (f) De-references of pointer variables that are assigned the null value (g) Dangerous flaws in the structure or definition of the program; for example, violations in secure programming practices such as deprecated code functions, and objects not defined as static or final when required (h) Dangerous uses of functions and APIs at the intra-procedural level; for example, unsafe calls that trigger buffer overflows, format strings, and execution path issues How SCS uses SAST Tools The Security Testing Services (STS) team provides code-scan services using SAST tools for various Oracle SaaS applications. The team helps with analysis of the identified security issues. The team also maintains a repository of scan artifacts in a centralized, role-based access control (RBAC) server for audit and review purposes. During result analysis, a security issue is classified as follows: In addition to running SAST tools, the SCS team works on researching and implementing industry-best practices to reduce false positive issues. The team also trains developers on how to use SAST tools and analyze the results. Development teams that are skilled in using SAST tools can find and fix actual problems faster than teams who must spend additional time in understanding the tool and scraping through false positive results. Millions of lines of code: Automation to the rescue The SCS team builds and deploys SAST automation as part of the Automated SaaS Cloud Security Services (ASCSS) infrastructure at Oracle. We develop this automation to be integrated with existing SaaS applications and upcoming SaaS micro-services.   In Oracle SaaS, we integrate on-demand scan processes with our central build orchestration system. The integrated automation suite triggers scanning jobs on-demand for a given SaaS application such as Oracle Fusion. In addition, for next-generation SaaS micro-services, we added automation into the code scan of a service as part of the Continuous Integration process (see Figure 2).   Figure 2 Example integrated Code Scan report in CI pipeline How do we deal with false positives? Historically, most SAST tools, based on their purpose, generate a lot of false positives. Independent SAST analysis of source code performed by third parties with only indirect knowledge of the specific applications has limited value. Fully leveraging SAST tools require in-depth understanding of how the application is architected and functionally operated in a production environment. Some of the recommended practices to overcome the challenge of false positives is to perform the following tasks: (1) Create custom rules with validations to reduce false positives and apply during the scan time (2) Apply a filter file containing a list of non-issue categories during the scan time (3) Create a set of visibility filters to hide false positives from the audit view While custom rules and scan-time filters remove the issue completely from the scan result file, visibility filters are used to hide the issue from the audit view. SCS follows a set of industry practices for SAST tools to hide the false positive issues while performing the audit for SaaS properties.   Conclusion Application security testing is fundamental to Oracle and all SaaS applications as one of our core DevSecOps principles. It is an engineering area that invokes significant passion and results from security minded engineers. One of the recommended engineering practices is to always have automated SAST testing as a component of the coding phase of a DevSecOps model. The use of SAST by the SCS team is another example of Automated SaaS Cloud Security Services (ASCSS) infrastructure at Oracle. We will continue to provide additional examples of the DevSecOps processes and tools that we use in Oracle SaaS Cloud Security in future blog posts. We welcome your feedback and questions and we will continue to share content and posts based on your requests.    

  For this posting, I would like to introduce my joint guest author Naveen Gupta, who is a Principal Security Engineer in the SaaS Cloud Security (SCS) organization.   Oracle has a long-standing, secure...

Interested in reading reviews on enterprise IT solutions? The Gartner Peer Insights platform is a great resource to read reviews and honest feedback directly from customers.

Interested in reading reviews on enterprise IT solutions? The Gartner Peer Insights platform is a great resource to read reviews and honest feedback directly from customers.

Join us for a very interesting read on troubleshooting withing Identity Cloud Service when using Active Directory Bridge.

Join us for a very interesting read on troubleshooting withing Identity Cloud Service when using Active Directory Bridge.

Oracle Identity and Access Management 12c PS4 has many new and exciting capabilities, read this blog to learn more about these features with 12c PS4.

Oracle Identity and Access Management 12c PS4 has many new and exciting capabilities, read this blog to learn more about these features with 12c PS4.

In this post, we'll look at how to create a secret in the Oracle Cloud that can be used to store sensitive data for your serverless functions and applications.

In this post, we'll look at how to create a secret in the Oracle Cloud that can be used to store sensitive data for your serverless functions and applications.

This 3rd Oracle and KPMG Cloud Threat Report, provides detailed insights into the key challenges, risks and opportunities that businesses are experiencing as they continue their cloud adoption trends.  We look at where cloud is finding success, as well as highlighting where risk and threats continue to grow and cause concern.

This 3rd Oracle and KPMG Cloud Threat Report, provides detailed insights into the key challenges, risks and opportunities that businesses are experiencing as they continue their cloud adoption trends....

DevOps aims to bring software development and maintenance closer to IT operations. It is designed to deliver new software features, enhancements to existing features, and bug fixes faster than traditional methods and with the same quality.

DevOps aims to bring software development and maintenance closer to IT operations. It is designed to deliver new software features, enhancements to existing features, and bug fixes faster...

As companies transition to the cloud for greater speed and agility, they’re also starting to see security as a cloud benefit rather than a risk. Learn how Oracle Cloud Infrastructure offers organizations security that is built-in, not bolted-on.

As companies transition to the cloud for greater speed and agility, they’re also starting to see security as a cloud benefit rather than a risk. Learn how Oracle Cloud Infrastructure...

If you are running an Oracle Cloud Database in a private Virtual Cloud Network (VCN) on Oracle Cloud Infrastructure, you can now very easily monitor and control your security posture with Oracle Data Safe. Read the blog to learn more.

If you are running an Oracle Cloud Database in a private Virtual Cloud Network (VCN) on Oracle Cloud Infrastructure, you can now very easily monitor and control your security posture with Oracle Data...

Join Oracle and Kapstone for their upcoming Identity Cloud Service webcast, Journey from Fragmented Identity to a Unified IAM.

Join Oracle and Kapstone for their upcoming Identity Cloud Service webcast, Journey from Fragmented Identity to a Unified IAM.

Aquera and Oracle are excited to announce support of the Aquera SCIM Gateway for the Oracle Identity Cloud Service. The Aquera SCIM Gateway and catalog of over 400 connectors are now fully interoperable and supported with IDCS.

Aquera and Oracle are excited to announce support of the Aquera SCIM Gateway for the Oracle Identity Cloud Service. The Aquera SCIM Gateway and catalog of over 400 connectors are now...

As more businesses adopt business-critical cloud services, it is important to find a trusted cloud partner who can help you meet your organization's security and compliance objectives. Keep up to date and boost your cloud security knowledge with some of these new Oracle Security assets.

As more businesses adopt business-critical cloud services, it is important to find a trusted cloud partner who can help you meet your organization's security and compliance objectives. Keep up to date...

Finance leaders are learning that cybersecurity can help advance growth and innovation objectives.

Finance leaders are learning that cybersecurity can help advance growth and innovation objectives.

As a follow up to a previous post, join us for this blog to answer the question, "how do you ensure that an attacker cannot disable or corrupt your security detection framework?" Very simply, it is all about comprehensive monitoring and validation! In cybersecurity infrastructure, you must have a validation framework and lifecycle that develops and executes tests based on collected evidence.

As a follow up to a previous post, join us for this blog to answer the question, "how do you ensure that an attacker cannot disable or corrupt your security detection framework?" Very simply, it...

Based on reader interest on how the Oracle SaaS Cloud Security (SCS) organization uses Oracle Labs PGX for our Automated SaaS Cloud Security Services (ASCSS) infrastructure, I wanted to follow up with an article on one of the advantages of using graph-powered security analytics.  This posting describes how graphs make it very easy for incident responders or security engineers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

Based on reader interest on how the Oracle SaaS Cloud Security (SCS) organization uses Oracle Labs PGX for our Automated SaaS Cloud Security Services (ASCSS) infrastructure, I wanted to follow up with...

Access our webcast on the Fortinet security solutions available on the Oracle Cloud Marketplace and how it can complement the security features on Oracle Cloud Infrastructure for business-critical workloads.

Access our webcast on the Fortinet security solutions available on the Oracle Cloud Marketplace and how it can complement the security features on Oracle Cloud Infrastructure for...

We learn new things every day, in our conversations with coworkers or the tv shows we watch, but we don’t often set aside time for the purpose of learning.

We learn new things every day, in our conversations with coworkers or the tv shows we watch, but we don’t often set aside time for the purpose of learning.

We're expanding Oracle Cloud Infrastructure Vault from just symmetric encryption keys backed by Hardware Security Modules (HSMs) to include arbitrary secrets. Oracle Cloud Infrastructure Vault Launches today.

We're expanding Oracle Cloud Infrastructure Vault from just symmetric encryption keys backed by Hardware Security Modules (HSMs) to include arbitrary secrets. Oracle Cloud Infrastructure Vault...

Oracle Identity Cloud Service provides users with the ability to securely govern their applications and perform single sign on, multi-factor authentication, user lifecycle management and API access management for a wide variety of cloud and on-premise applications. Working closely with our strategic partner, Kapstone Technologies LLC (KP), Oracle Identity Cloud Service now provides its customers greater flexibility and control over user lifecycle management activities through out of the box integration with 100+ cloud, on premise and legacy applications and platforms.

Oracle Identity Cloud Service provides users with the ability to securely govern their applications and perform single sign on, multi-factor authentication, user lifecycle management and API access...

For first time remote workers, the transition can be daunting. The best way to approach is to learn from others that have already made the leap. To that end in this article you’ll find some tips, suggestions and best practices for people and organizations that are introducing remote work so they can make the transition smoother for everyone involved. 

For first time remote workers, the transition can be daunting. The best way to approach is to learn from others that have already made the leap. To that end in this article you’ll find some...

This week we wanted to share how Oracle’s SaaS Cloud Security (SCS) organization is always prepared to support our customers and provide reliable continuity of service. Service continuity is a key pillar of Oracle’s SaaS Cloud Security Services.

This week we wanted to share how Oracle’s SaaS Cloud Security (SCS) organization is always prepared to support our customers and provide reliable continuity of service. Service continuity is a...

Well everyone another RSA Conference is officially in the books. This year’s theme was the “Human Element”, which is undeniably relevant given their description: “The most powerful tool to prevent cyberattacks? It’s you.

Well everyone another RSA Conference is officially in the books. This year’s theme was the “Human Element”, which is undeniably relevant given their description: “The most powerful tool to prevent...

With data breaches making the front pages several times per month, cybersecurity is eventually getting the attention of the board.

With data breaches making the front pages several times per month, cybersecurity is eventually getting the attention of the board.

We are pleased to announce the release of Oracle Key Vault 18.3, which is the first release that is also available from the Oracle Cloud Marketplace. Oracle Key Vault provides continuous, scalable and fault-tolerant key management for your Oracle Database estate, regardless of where they are deployed: On-premises, in Oracle Cloud, or across a hybrid cloud ecosystem.

We are pleased to announce the release of Oracle Key Vault 18.3, which is the first release that is also available from the Oracle Cloud Marketplace. Oracle Key Vault provides continuous, scalable and...

Oracle Identity Cloud Service provides single signon, user lifecycle management and API access management for a wide variety of SaaS and on-premises applications.

Oracle Identity Cloud Service provides single signon, user lifecycle management and API access management for a wide variety of SaaS and on-premises applications.

The 2020 RSA Conference was a success once again! The Human Element theme was woven throughout the week as we saw multiple sessions around the importance of creating a security plan that is tailored to your organization and your customers.

The 2020 RSA Conference was a success once again! The Human Element theme was woven throughout the week as we saw multiple sessions around the importance of creating a security plan that is...

Securing an Oracle Database is critical in keeping your sensitive data safe and staying compliant with the many new privacy regulations proliferating across the world.  Your data is extremely valuable– that could be intellectual property, financial data, personal data about your customers or staff, or a combination of all three.  Because data is valuable, you need to guard it against theft and misuse.

Securing an Oracle Database is critical in keeping your sensitive data safe and staying compliant with the many new privacy regulations proliferating across the world.  Your data is extremely...

Think your data is safe? Think again, threats today are more sophisticated than ever, are you protecting your sensitive data?

Think your data is safe? Think again, threats today are more sophisticated than ever, are you protecting your sensitive data?

In a borderless world, enterprises are finding a more diverse set of threats, with their attack surfaces increasing with infinite points of infiltration. With mobile devices, BYOD, IoT, and ever-expanding connectivity, there is no true network perimeter. Users and their identities are the new perimeter. So in order to protect today’s organizations, we need to focus on protecting their identities.

In a borderless world, enterprises are finding a more diverse set of threats, with their attack surfaces increasing with infinite points of infiltration. With mobile devices, BYOD, IoT,...

In the last installment of our series, we wrap up our conversation with Greg Jensen with a discussion around the future of cloud security and how leaders can help their businesses stay informed in the security space with the help of the annual Oracle and KPMG Cloud Threat Report. 

In the last installment of our series, we wrap up our conversation with Greg Jensen with a discussion around the future of cloud security and how leaders can help their businesses stay informed in the...

Security is taking over San Francisco! Will you be there? If the answer is yes and you are still deciding on your schedule, consider stopping by one (or more) of our in-booth lightning talks throughout the week. This year, we are focused on providing a variety of content that is valuable to customers and curious visitors alike. Whether you are interested in learning more about the latest updates in Identity Management or the top strategies to combat threat vectors we have a topic for you. Each lightning talk runs for about 10 minutes and is designed to give attendees a quick introduction to a topic they can explore more within our booth or online. We will be located in the North Hall booth #6085!

Security is taking over San Francisco! Will you be there? If the answer is yes and you are still deciding on your schedule, consider stopping by one (or more) of our in-booth lightning...

We often talk about the Maximum Security Architecture (MSA), but the reality is that not every database needs that level of protection. I thought it might be worth spending some time on what a baseline security posture for the Oracle Database should include – what the Minimal Security Architecture should be. Once we know the maximum and minimum, then we can think of database security on a sliding scale, with your database’s security controls adjusted to reflect the value of the data contained within the database, and your organization’s willingness to accept risk to that data.                   We like to see these seven simple things that can be done for ANY Oracle database, including Oracle Standard Edition, without any additional-cost licenses.  Adjust your configuration to remove unnecessary risk Apply security patches in a timely manner Practice good password discipline Reduce account privileges wherever possible Know your data Audit security-relevant activity Encrypt database network traffic These seven baseline security practices form the foundation for follow-on security controls that increase the security posture (and decrease risk) all the way up to the Maximum Security Architecture. Without them, adding additional technical controls may improve security, but it will not result in a truly secure system.  Adjust your configuration to remove unnecessary risk. There are hundreds of database parameters, and many of those impact the security posture for the system. Oracle provides the Database Security Assessment Tool (DBSAT) to help you evaluate your configuration and identify settings that may introduce additional risk. DBSAT is simple to download and run, usually producing usable reports within minutes.  If you are running databases in the Oracle Cloud, you can also use Oracle Data Safe (included with your Database as a Service subscription) to perform the same types of checks DBSAT does for on-premises databases. Apply security patches in a timely manner. Oracle releases security patches quarterly. With each release, we also provide guidance on the type of vulnerabilities being mitigated in the patch, the attack vector/complexity, and the severity. The reality is that once we release a patch, it isn’t long before malicious actors begin reverse engineering the patches to learn more about vulnerabilities and how they can be exploited. In some cases, the gap between our release of a patch and the availability of automated exploits can be as little as a few days. As every experienced IT professional knows, patching carries its own operational risk, and it’s always a balancing act between testing patches and applying them quickly. The important thing is to evaluate each patch and make a decision on your timeline for applying the patch. The decades-old DBA mantra of “if it ain’t broke, don’t fix it” doesn’t match up with modern risk evaluation! If you are not already subscribed to receive notifications of new critical patches, you can do so here. Practice good password discipline. This sounds so very basic that you may think it doesn’t need to be said, but having evaluated hundreds of production databases in real customer environments I can tell you that it IS something you should be paying attention to. The temptation to create accounts with passwords that don’t expire, and without those annoying complexity  requirements or limits of failed logins seems to draw people in. Remember that most database breaches involve compromised account credentials, and don’t neglect this most basic of security checks. DBSAT (or Oracle Data Safe if your database is in the Oracle Cloud) will help you here, letting you know which users have non-expiring passwords, passwords without complexity checks, and accounts that don’t automatically lock after a certain number of failed logins. Reduce account privileges whenever possible. Most database breaches involved compromised account credentials (sound familiar?). That means that you want to reduce the damage a compromised account can do whenever possible. This can be something as simple as reporting on the privileges/roles an account has and doing a manual review. If you are running the Enterprise Edition of Oracle Database you can use the Privilege Analysis feature to report on privileges an account uses, as well as privileges an account has that are not being used. Those unused privileges are excellent candidates for elimination. It’s always good to be cautious before removing privileges from a user, so I’ll usually take a two-step approach, running privilege analysis for a few months to identify unused privileges and then auditing the use of those privileges for several more months just to be sure the user doesn’t just use them infrequently. Know your data. Many have said that “data is the new oil” – but all data is not created equally. Some data has a higher value (with attendant higher security risk) than other data. Know what types of sensitive data your database holds, and almost as important, how much of that sensitive data there is. DBSAT can help here, with its sensitive data discovery module.  If you are running databases in the Oracle Cloud, you can also use Oracle Data Safe’s sensitive data discovery module.  The baseline security posture we’re discussing here is appropriate for databases with very low risk, databases that don’t contain a lot of sensitive data. The more sensitive data, and the more value that data holds, the more you should be doing to protect it. The baseline security posture we’re discussing here is appropriate for databases with very low risk, databases that don’t contain a lot of sensitive data. The more sensitive data, and the more value that data holds, the more you should be doing to protect it. Audit security-relevant activity. Just as important as knowing the types and quantity of sensitive data in your database is knowing how that data and your database are being accessed. The Oracle Database has superb auditing capabilities, and we improve them with every release. You should be auditing database login events, changes to user accounts, grants of database privileges, and changes to database schema. You may hear “I can’t enable auditing, the performance impact is too high” – but if you think about the things I’m saying to audit you’ll see that these are low frequency, high value operations. They shouldn’t be happening often in most databases, and therefore the performance impact will be minimal. Without an audit trail, your ability to detect malicious activity is severely compromised, and your ability to support a forensic investigation is almost non-existent. Encrypt database network traffic. Encryption of data in motion is standard now - websites that don't use HTTPS are the exception, not the rule. The same should be true for databases. Enabling encryption in an Oracle Database is as simple as a single line in a configuration file that will enable Oracle Native Network Encryption (NNE).  These seven simple steps establish a reasonable security baseline and are the foundation you can build on as you increase your security posture towards the Maximum Security Architecture. If you’d like to learn more about Oracle Database Security, please take a look at our third edition of “Securing your Database – A Technical Primer”.    

We often talk about the Maximum Security Architecture (MSA), but the reality is that not every database needs that level of protection. I thought it might be worth spending some time on what a...

This week, Oracle will be participating in the 2020 RSA Conference. One of the many items that Oracle will be bringing to the conference is information about security of the Oracle Cloud Infrastructure (OCI).  Nowadays, you can’t help but run across technology articles talking about Cloud, whether it is the growth of adoption, benefits received, or prevalence of cloud across businesses. I expect the RSA Conference to be no exception. 

This week, Oracle will be participating in the 2020 RSA Conference. One of the many items that Oracle will be bringing to the conference is information about security of the Oracle...

In our part 2 of our 3-post series, we continue the conversation with Greg Jensen and discuss the Shared Responsibility Security Model and the importance of visibility in the cloud.

In our part 2 of our 3-post series, we continue the conversation with Greg Jensen and discuss the Shared Responsibility Security Model and the importance of visibility in the cloud.

Every 11 seconds an organization suffers a cybersecurity attack and it's only expected to get much worse. So, it's critical for those that are responsible for securing these organizations to understand the challenges that they face and identify potential solutions to these issues.  I had the pleasure of speaking with Greg Jensen, Sr Principal Director of Cloud Security at Oracle about his take on the current state of cloud security and the Oracle and KPMG Cloud Threat Report.

Every 11 seconds an organization suffers a cybersecurity attack and it's only expected to get much worse. So, it's critical for those that are responsible for securing these organizations to...

One of the great things about providing a cloud service is how easy it is to update the service with new features, and Oracle Data Safe is no exception. For example, this week we've added support for Oracle Database 20c. Since we released the service at OpenWorld San Francisco last year, we’ve seen enormous growth and the customer response has been fantastic. If you are running a database in the Oracle Cloud and aren’t already using Data Safe, you really should try it out – Data Safe is included with all of our in-cloud Database as a Service offerings – including Autonomous Database and Exadata Cloud Service – at no additional cost. But, back to my main topic – the ease of updating a cloud service. Comparing the process for enhancing a product or fixing product issues for a cloud service like Data Safe with the same process for an on-premises product is like night and day. For on-premises products, enhancements are scheduled and rolled into a delivery vehicle – usually quarterly or, if it’s a major enhancement, the upcoming annual release. Depending on where in the development cycle the enhancement request comes in, It can take months or even years to bring a new feature to our customers. And the QA cycles before release are long and complex because Oracle is run in so many different server/operating system environments With Data Safe, we roll out fixes and updates every few weeks – it’s a continuous cycle of improvement. Usually these are small improvements – make something easier to understand, fix a typo in some text on screen, add a new sensitive data format to the over 125 existing formats, or a new masking format capability like group-based masking – we are constantly moving the usability and quality of the service higher. Every now and then, it’s a “hot fix” – we spot an issue that is impacting multiple customers and that needs to jump the normal development sprint cycle. In one recent case a report came in about how we were handling large objects from one customer, was confirmed by another customer about eight hours later, and was fixed – with the fix rolled into production for ALL Data Safe customers – less than a day later. This is what I love about cloud services – how quickly we can fix or improve things, and how confident we can be rolling those changes out since the deployment environment is homogenous and controlled. Some recent examples– Automated registration for Autonomous Databases.  I love the Autonomous Database because it lets me get down to business quickly – I don’t have to worry about setting up encryption, separation of duties, patching – the everyday tedium of securing a database. It’s all done for me. But, because it’s all done for me, setting up monitoring tools like Data Safe used to mean I had to figure out what someone else had done for that automation so I could connect my tools into the system. We had several customers who commented on the difficulty of registering an Autonomous Database with Data Safe, so we created the “Easy Button” – the registration is now automated, with network ingress rules, certificate import, credentialing all handled in the background. And we’re working with the Autonomous Database product managers to make things even easier in upcoming releases. But the point is, this great automation that really made a significant difference in the ease of use for Data Safe happened in just a couple of weeks from identifying the issue. And for our customers, that “Easy Button” just appeared on their Autonomous Database console. Federated Logon support. Our initial release of Data Safe required local accounts. During our testing and limited availability program this didn’t seem like a significant barrier to adoption -but once we had Data Safe generally available we received feedback from several customers that they preferred to only use federated identities, no local logins. Here again, in a few short weeks we had the solution developed, tested, and pushed out to our customers. So one day, the requirement for local logins just went away. Private IP address support. Another project we are working on is removing the requirement for a public IP address. The OCI networking team partnered with us on this to create a new network construct called the “Private Endpoint” that allows our customers to grant direct access to Data Safe without having to route that access through a public IP address.  Limited availability for this has been in progress for a few weeks, and so far everyone loves it. One day soon, our customers will just see this new capability appear for them to use with no need for them to apply a patch, install software, upgrade their hardware. Or, our most recent change – Oracle Database 20c (preview edition on Oracle Cloud released this week). With Data Safe, we are able to support Database 20c on the same day it is released! It just doesn’t get much better than this.

One of the great things about providing a cloud service is how easy it is to update the service with new features, and Oracle Data Safe is no exception. For example, this week we've added support for...

Previous articles have talked about Oracle Identity Cloud Service and how it can greatly simplify single sign-on for Oracle E-Business Suite. With the latest release of IDCS, you can now manage the lifecycle of your EBS users directly from IDCS.

Previous articles have talked about Oracle Identity Cloud Service and how it can greatly simplify single sign-on for Oracle E-Business Suite. With the latest release of IDCS, you can now manage the...

Happy Data Privacy Day! For those of you scratching your heads right now, we are here to explain further. In a world of online subscriptions, website browsing, and businesses selling and otherwise leveraging customer information, many people are uninformed or plain confused about what is really happening with their data. Data Privacy Day is all about raising awareness of how data is being used and promoting action to better protect all personal data, both our own data and data that our employers collect and manage. 

Happy Data Privacy Day! For those of you scratching your heads right now, we are here to explain further. In a world of online subscriptions, website browsing, and businesses selling and otherwise...

Next month the biggest names in information security will come together in San Francisco for the 2020 RSA Conference. Each year more than 45,000 IT security professionals come to learn from peers and experts. This year attendees will have the opportunity to interact with vendors, partners, and industry leaders. With so much going on, it can be overwhelming at times!

Next month the biggest names in information security will come together in San Francisco for the 2020 RSA Conference. Each year more than 45,000 IT security professionals come to learn from peers and...

We are pleased to announce that Oracle Key Vault 18.2 is now available with significant additions and improvements.

We are pleased to announce that Oracle Key Vault 18.2 is now available with significant additions and improvements.

DDoS attacks can cause significant disruption for your organization. As many organizations transition to using Cloud services, it is important to understand what is and isn’t covered by your Cloud Provider.

DDoS attacks can cause significant disruption for your organization. As many organizations transition to using Cloud services, it is important to understand what is and isn’t covered by your Cloud...

Today we are introducing Oracle Internet Routing 3D Visualization as part of our Safer Internet Initiative to increase the public’s understanding of internet routing events such as BGP leaks and hijacks.

Today we are introducing Oracle Internet Routing 3D Visualization as part of our Safer Internet Initiative to increase the public’s understanding of internet routing events such as BGP leaks...

In this post, I want to compare the value and detection results of antivirus endpoint agents in datacenters, server systems, and SaaS environments to that of other security detection tools and techniques. Some people claim antivirus is only used and installed to meet audit and compliance requirements for certifications. At Oracle, the SaaS Cloud Security (SCS) team believes antivirus tools provide a necessary, clear defense in depth solution in SaaS environments. If you’ve been skeptical about the antivirus approach, read on.

In this post, I want to compare the value and detection results of antivirus endpoint agents in datacenters, server systems, and SaaS environments to that of other security detection tools...

For the second consecutive year, Oracle is offering customers the opportunity to attend OpenWorld events around the globe, beginning with Oracle OpenWorld Middle East in Dubai this week. If you are planning to attend and interested in learning more about security, please be sure to mark the following sessions on your calendar!

For the second consecutive year, Oracle is offering customers the opportunity to attend OpenWorld events around the globe, beginning with Oracle OpenWorld Middle East in Dubai this week. If you...

Oracle’s long history in identity and continued innovation is helping customers solve even the most demanding use cases. In our upcoming webinar, we will discuss Oracle’s comprehensive IAM strategy in depth and how it supports you through your journey with on-premises, hosted cloud, cloud native, hybrid and multi-cloud scenarios across all functional areas such as access, governance, directory and more.

Oracle’s long history in identity and continued innovation is helping customers solve even the most demanding use cases. In our upcoming webinar, we will discuss Oracle’s comprehensive IAM strategy in...

In a cloud world, medium and midsize businesses need a culture of “security first” that is part of the foundational elements of a modern security stack to keep core data safe.

In a cloud world, medium and midsize businesses need a culture of “security first” that is part of the foundational elements of a modern security stack to keep core data safe.

How well would your organization fare in the face of a full-blown cyber attack? If that question makes your palms sweat and your eyes shift, read on for some lessons we’ve learned at Oracle about penetration testing and red teams.

How well would your organization fare in the face of a full-blown cyber attack? If that question makes your palms sweat and your eyes shift, read on for some lessons we’ve learned at Oracle...

Why are we seeing so many breaches and successful attacks against organisations? Of course, anyone working in this field will know the answer. Security is hard! But why?

Why are we seeing so many breaches and successful attacks against organisations? Of course, anyone working in this field will know the answer. Security is hard! But why?

The time has come to say goodbye to 2019 as we head into 2020! What a decade it has been, and this year in particular has had some shining moments. I'd like to take a moment to highlight our best Cloud Security blogs of 2019.

The time has come to say goodbye to 2019 as we head into 2020! What a decade it has been, and this year in particular has had some shining moments. I'd like to take a moment to highlight our...

As we look back across 2019, organizations saw a tremendous increase in not only the use of cloud for business, but the valuation of the data and applications hosted in the cloud. These predictions highlight what many organizations will experience in 2020 when they focus only on secure strategies, and not placing a greater focus on the inclusion of a security-minded culture. 

As we look back across 2019, organizations saw a tremendous increase in not only the use of cloud for business, but the valuation of the data and applications hosted in the cloud. These predictions...

Gartner published an updated Critical Capabilities for Identity Governance and Administration (IGA). Oracle received highest scores for 4 of the 11 capabilities evaluated, which is the most of all the vendors included in the report. Oracle’s overall strong product scores show that IGA continues to be a strong product with continued development and innovation.

Gartner published an updated Critical Capabilities for Identity Governance and Administration (IGA). Oracle received highest scores for 4 of the 11 capabilities evaluated, which is the most of all the...

Just as in the Star Wars Galaxy the cybersphere is a dangerous place and attacks can come in any guise and from any location just when you are least expecting it. And like the Dark Side, hackers are constantly trying out new techniques to get their hands on what they perceive as having value.

Just as in the Star Wars Galaxy the cybersphere is a dangerous place and attacks can come in any guise and from any location just when you are least expecting it. And like the Dark Side, hackers are...

Many companies moving older applications to the cloud start with ERP. But before putting critical finance data in the cloud, update security protocols.

Many companies moving older applications to the cloud start with ERP. But before putting critical finance data in the cloud, update security protocols.

Join Oracle at Gartner Identity and Access Management Summit from December 10th-12th, 2019 in Las Vegas at Caesars Palace to learn how Oracle is addressing these issues with Identity at the core of the solution.

Join Oracle at Gartner Identity and Access Management Summit from December 10th-12th, 2019 in Las Vegas at Caesars Palace to learn how Oracle is addressing these issues with Identity at the core...

Midsize and medium businesses share in the responsibilities for data security as they move core applications to the cloud. Follow these three tips to lay a secure foundation.

Midsize and medium businesses share in the responsibilities for data security as they move core applications to the cloud. Follow these three tips to lay a secure foundation.

We strive to build security into our applications and services in every phase of the DevSecOps engineering cycle. In this post, I want to address how the distributed engineering teams and the central security teams can join forces in the testing phase. I also want to discuss the advantage of their combined efforts in the DevSecOps model shown below.

We strive to build security into our applications and services in every phase of the DevSecOps engineering cycle. In this post, I want to address how the distributed engineering teams and the central...

Bring your own key (BYOK for short) seems to be the buzzword of the year; however, I struggle to understand where this comes from ... If prospective cloud customers want to retain control over their encryption keys, they can deploy an Oracle Key Vault 18 cluster on-prem to manage the encryption keys of on-prem and cloud-based Oracle databases at the same time. On the other hand, I have heard customers call those "BYOK" keys "pre-breached" keys, since they have been created/touched/manipulated by humans.

Bring your own key (BYOK for short) seems to be the buzzword of the year; however, I struggle to understand where this comes from ... If prospective cloud customers want to retain control over...

A historic Internet blackout in Iran began on Saturday afternoon, according to our team member Doug Madory. Doug is a Director of Internet Analysis for Oracle Internet Intelligence, part of Oracle Cloud Security. Internet Intelligence has been reporting and covering global connectivity and security threats that impact the performance of the global internet for over a decade.

A historic Internet blackout in Iran began on Saturday afternoon, according to our team member Doug Madory. Doug is a Director of Internet Analysis for Oracle Internet Intelligence, part of...

Join David B. Cross as he examines the MITRE ATT&CK matrix and explains the many ways in which Oracle SaaS Cloud Security goes above and beyond.

Join David B. Cross as he examines the MITRE ATT&CK matrix and explains the many ways in which Oracle SaaS Cloud Security goes above and beyond.

Organizations moving to the cloud are seeing traditional network perimeters vanish, leaving their users vulnerable to social engineering and phishing, and their applications vulnerable to data breaches. Multi-factor authentication gives organizations a crucial layer of security, securing end-user credentials and administrator access to on-premises and SaaS applications.

Organizations moving to the cloud are seeing traditional network perimeters vanish, leaving their users vulnerable to social engineering and phishing, and their applications vulnerable to...

Eleanor Meritt brings 24 years of experience at Oracle to her new position as the Vice President of IAM Development. Learn more about her and the future of Identity at Oracle.

Eleanor Meritt brings 24 years of experience at Oracle to her new position as the Vice President of IAM Development. Learn more about her and the future of Identity at Oracle.

Legacy applications are becoming harder to manage and costly to migrate. Identity is critical to staying secure, and it must work with these applications and the entire hybrid IT infrastructure. Oracle’s identity solutions are built for these environments, with many strengths for the full breadth of Oracle business applications.

Legacy applications are becoming harder to manage and costly to migrate. Identity is critical to staying secure, and it must work with these applications and the entire hybrid IT...

Mobile devices and the cloud platform have undeniably altered the traditional network perimeter. Your IT professionals can no longer assume trust across the stack as resources are available from anywhere and from any device. Oracle Identity Cloud Service provides built-in security for the Oracle Fusion SaaS stack and the extensions built by customers.

Mobile devices and the cloud platform have undeniably altered the traditional network perimeter. Your IT professionals can no longer assume trust across the stack as resources are available...