Overview

Oracle maintains teams of specialized security professionals for the purpose of assessing the security strength of the company’s infrastructure, products, and services. These teams perform various levels of complementary security testing:

• Operational security scanning is required as part of the normal systems administration of Oracle’s systems and services. This kind of assessment largely leverages tools including commercial scanning tools as well as Oracle’s own products (such as Oracle Enterprise Manager). The purpose of operational security scanning is primarily to detect unauthorized and insecure security configurations.
• Penetration testing is also routinely performed to check that systems have been set up in accordance with Oracle’s corporate standards and that these systems can withstand their operational threat environment and resist hostile scans from the Internet. Penetration testing can take two forms:
  • Passive-penetration testing uses commercial scanning tools and manual steps to identify the presence of known types of vulnerabilities with sufficient confidence and accuracy. A test case can then be used by development or cloud operations to validate the presence of an issue. During passive-penetration testing, no exploitation is performed on production environments, other than the minimum required to confirm the issue. For example, a SQL injection will not be exploited to exfiltrate data.
  • Active-penetration testing is more intrusive because it allows for the exploitation of discovered vulnerabilities. It is also broader in scope than passive penetration testing as the security teams are typically allowed to pivot from one system to another. Obviously, active penetration testing is closely controlled so as to avoid unintentional impacts on production systems.

Operational Security Scanning

Oracle IT organizations are responsible for security scanning of the Oracle corporate systems and Cloud services they manage, per Oracle’s Server Security Policy and associated technology standards. All scanning tools must be approved per the Corporate Security Solution Assurance Process (CSSAP). Scan results are analyzed using a risk-based approach. Change management processes are used to address any identified issues according to risk-based prioritization, per management approval.

Information about penetration tests of Oracle systems is Oracle Confidential and is not shared externally. However, Oracle does makes penetration testing summary reports available for many Cloud Services.

Penetration Testing

Oracle requires that external facing systems and cloud services undergo penetration testing. Global Information Security’s Penetration Testing Team performs penetration tests and provides oversight to all lines of business in instances where other internal security teams or an approved third-party perform penetration testing activities. This oversight is designed to drive quality, accuracy, and consistency of penetration testing activities and their associated methodology. Oracle has formal penetration testing requirements which include test scope and environment definition, approved tools, findings classification, categories of exploits to attempt via automation and manual steps, and procedures for reporting results.

Penetration tests are routinely performed against Oracle cloud services and in test environments against on-premises products. Oracle’s corporate security teams monitor test execution, reporting quality and findings remediation. Before a line of business is allowed to bring a new system or cloud service into production, Oracle requires that the remediation of significant penetration test findings be completed.

Information about penetration tests of Oracle systems is Oracle Confidential and is not shared externally. However, Oracle does makes penetration testing summary reports available for many Cloud Services.

Ethical Hacking

In contrast to operational security scanning and penetration testing, ethical hacking is an open book engagement where the ethical hacking team has access to the engineering documentation, for example, design specifications, and the source code of the product being tested. Administrative access can be granted to the ethical hacking team to enable a more intrusive analysis of the targeted systems and to provide the ability to leverage additional logging and debug modes. Ethical Hacking engagements are typically performed against dedicated test environments because the target systems are often negatively impacted by testing and may need to be rebuilt at the end of the assessment.

Oracle’s Ethical Hacking Team (EHT) is an independent group of security researchers in the Global Product Security organization. EHT test reports are never disclosed externally. The team reports its findings to the corporate security architect as well as the senior leadership of the affected lines of business. In addition, the EHT is a significant contributor to the Oracle Secure Coding Standards and periodically presents “lessons learned” for Oracle development.