Introduction

Weaknesses in an organization’s security posture can often be traced back to insecure software configurations, and not necessarily result from errors in design or coding in the software itself. Examples of insecure configurations include sensitive data files configured by default to be accessible to all system users, or software with pre-configured administrator accounts with default passwords. Oracle’s secure configuration standard requires that products and cloud services have defined secure configurations.

Secure Configuration Requirements

Oracle requires that its products and services be as much as possible secure by default. Products and services should only install the essential components to perform their intended functions. Any features not intended for a production deployment, such as demonstration content, default accounts and debug tools, should not be installed by default. This approach is commonly referred to a minimizing the attack surface. By default, the product or service should only use secure protocols and encryption algorithms.

Most Oracle products depend on other products or components. For example, if an application requires a database, the application developers should understand what database features are needed and recommend a custom installation of only essential components. Operating systems include many features or services that are not needed by all applications. The application developers must determine which services are required and disable any others.

Cloud Secure Configuration

Oracle requires Oracle Cloud services be deployed in a specific configuration, or a small number of configurations. The security of cloud configurations are to be planned from the design phase by the development team. The developers implementing the service need to be aware of the planned configuration. Testing must be performed on the product in this configuration, with pre-deployment tests performed in an environment identical to the production environment.

Additionally, cloud development teams are required to deliver the service to cloud operations teams in a secured configuration. Use of containers, such as Docker and automated deployment pipelines, help development teams satisfy this requirement.