Overview

Oracle maintains teams of specialized security professionals for the purpose of assessing the security strength of the company’s infrastructure, products, and services. These teams perform various levels of complementary security testing:

• Operational security scanning is performed as part of the normal systems administration of all Oracle’s systems and services. This kind of assessment largely leverages tools including commercial scanning tools as well as Oracle’s own products (such as Oracle Enterprise Manager). The purpose of operational security scanning is primarily to detect unauthorized and insecure security configurations.
• Penetration testing is also routinely performed to check that systems have been set up in accordance with Oracle’s corporate standards and that these systems can withstand their operational threat environment and resist hostile scans that permeate the Internet. Penetration testing can take two forms:
  • Passive-penetration testing is performed using commercial scanning tools and manual steps. It is usually performed via the Internet and usually with the minimum of insider knowledge. Passive testing is used to confirm the presence of known types of vulnerabilities with sufficient confidence and accuracy to create a test case that can then be used by development or cloud operations to validate the presence of the reported issue. During passive-penetration testing, no exploitation is performed on production environments, other than that minimally required to confirm the issue. For example, a SQL injection will not be exploited to exfiltrate data.
  • Active-penetration testing is more intrusive than passive-penetration testing and allows for the exploitation of discovered vulnerabilities. It is also broader in scope than passive penetration testing as the security teams are typically allowed to pivot from one system to another. Obviously, active penetration testing is closely controlled so as to avoid unintentional impacts on production systems.

Operational Security Scanning

Oracle IT organizations are responsible for security scanning of the Oracle corporate systems and Cloud services they manage, per Oracle’s Server Security Policy and associated technology standards. All scanning tools must be approved per the Corporate Security Solution Assurance Process (CSSAP). Scan results are analyzed using a risk-based approach. Change management processes are used to address any identified issues according to risk-based prioritization, per management approval.

Information about operational security scans of Oracle’s corporate systems and cloud services is Oracle Confidential and is not shared externally.

Penetration Testing

Oracle requires that external facing systems and cloud services undergo penetration testing performed by independent security teams. Global Information Security’s Penetration Testing Team performs penetration tests and provides oversight to all lines of business in instances where other internal security teams or an approved third-party perform penetration testing activities. This oversight is designed to drive quality, accuracy, and consistency of penetration testing activities and their associated methodology. Oracle has formal penetration testing requirements which include test scope and environment definition, approved tools, findings classification, categories of exploits to attempt via automation and manual steps, and procedures for reporting results.

Penetration tests are routinely performed against Oracle cloud services and in test environments against on-premises products. Oracle’s corporate security teams monitor test execution, reporting quality and findings remediation. Before a line of business is allowed to bring a new system or cloud service into production, Oracle requires that the remediation of significant penetration test findings be completed.

Information about penetration tests of Oracle’s corporate systems and cloud services is Oracle Confidential and is not shared externally.

Ethical Hacking

In contrast to operational security scanning and penetration testing, ethical hacking is an open book engagement where the ethical hacking team has access to the engineering documentation, for example, design specifications, and the source code of the product being tested. Administrative access can be granted to the ethical hacking team to enable a more intrusive analysis of the targeted systems and to provide the ability to leverage additional logging and debug modes. Ethical Hacking engagements are typically performed against dedicated test environments because the target systems are often negatively impacted by testing and may need to be rebuilt at the end of the assessment.

Oracle’s Ethical Hacking Team (EHT) is an independent group of security researchers in the Global Product Security organization. EHT test reports are never disclosed externally. The team reports its findings to the corporate security architect as well as the senior leadership of the affected lines of business. In addition, the EHT is a significant contributor to the Oracle Secure Coding Standards and periodically presents “lessons learned” for Oracle development.

Oracle Labs

The Mission of Oracle Labs is straightforward: identify, explore, and transfer new technologies that have the potential to substantially improve Oracle software, Oracle Cloud services, and corporate operations. Oracle Labs researchers look for novel approaches and methodologies, often taking on projects with high risk or uncertainty, or that are difficult to tackle within a product development organization.

Oracle’s commitment to R&D is a driving factor in the development of technologies that have kept Oracle at the forefront of the computer industry. Although many of Oracle's leading-edge technologies originate in its product development organizations, Oracle Labs is the sole organization at Oracle that is devoted exclusively to research.