Oracle Customer Security Testing Policy
This site is intended to describe the security testing activities (for example, penetration testing, vulnerability scanning) that can be performed by Oracle customers against their Oracle On-Premises Products and Oracle Cloud Services (“Security Tests” or “Security Testing”). It is collectively referred as “Testing Policy” and is included as part of the Service Specifications for Oracle Cloud Services (other than Oracle NetSuite).
Security assurance activities performed by Oracle
Oracle Software Security Assurance is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products, whether they are used on-premises by customers, or delivered through Oracle Cloud. Oracle employs formal coding standards and requires that development teams perform various security testing activities throughout the software development cycle to identify potential issues. Oracle submits certain products for external security evaluations, for more information see the Security Evaluation page.
Oracle regularly performs penetration testing, vulnerability testing and security assessments against the systems it manages (that is infrastructure of Oracle Cloud, platforms, and applications.) Additionally, the Oracle Cloud security and development teams monitor relevant vendor and industry bulletins, including Oracle’s own security advisories, to identify, assess, and if required apply relevant security patches.
Oracle does not assess or test components that are managed or introduced by customers. Examples of customer-managed components include non-Oracle applications and operating systems deployed by customers, customer-developed integrations, etc. Customers and security researchers are encouraged to report suspected security vulnerabilities to Oracle per the process documented at: How to Report Security Vulnerabilities or by submitting a Service Request in the support system associated with their Oracle Cloud product.
You can find information about Oracle Cloud attestations of compliance to various security and privacy standards (such as ISO 27001) on the Oracle Cloud Compliance site. Some compliance reports can also be downloaded directly from the Oracle Cloud Console.
Oracle makes available penetration testing summaries for a number of its Cloud Services
These reports are available to customers of the applicable Oracle Cloud Services under a non-disclosure agreement. Contact your Oracle account representative to obtain these reports.
Differences between on-premises and cloud deployments
Organizations deploying traditionally licensed software and hardware products on-premises are typically in full control of their technology infrastructure located in their data center (for example, physical control of the hardware and control over the technology stack in production). Organizations control how they build, configure, and use these systems. Security testing activities, such as penetration testing, can be performed by the organizations for the purpose of assessing their security posture. However, licensing limitations can limit certain security testing activities (for example, customers cannot typically decompile commercial code and static code analysis is generally not possible). Additional limitations may exist when, for example, organizations opt in for remote support services or leverage hardware that is leased by a vendor.
When using cloud services, organizations leverage resources and practices that are under the control of the cloud service provider while still retaining some control and responsibility over other components of their IT solution. Security activities such as cloud service penetration testing are typically subject to various limitations because of the potential adverse effects of security testing and the triggering of alerts likely to be detected by the cloud security teams. There are different compliance implications of operating in the cloud versus on-premises. The concept of “build, configure, and use” is very much relevant in the cloud, and generally denotes the level of control customers can exercise on individual cloud service configuration.
Helping you determine the applicable Security Tests limitations
General principles:
The applicable limitations in this Testing Policy depends on the Oracle offering which is the subject of your testing. Are you looking to test?
- On-premises products encompass the use of software and hardware deployed at a physical location, such as a customer’s data center (not in the cloud).
- Cloud services encompass the use of cloud services delivered, operated and managed by Oracle regardless of who manages the data center’s physical location/facility (Oracle, colocation provider, customer, Oracle partner or Oracle agent).
Distinctions:
For purposes of this Testing Policy, the following defined terms apply:
- “Oracle On-Premise Products” or “On-Premises Products” refers to Oracle software that is licensed to a customer, and Oracle hardware that is leased or sold to a customer, (1) pursuant to the terms of an Oracle software or hardware agreement, as applicable (such agreement and the applicable On-Premise Products order(s) being collectively referred to in this Testing Policy as the “Oracle Products Agreement”), and (2) which are deployed at a physical location (i.e., not in the cloud) such as (A) a customer’s data center, or (B) an Oracle data center or the data center of a customer’s agent. On-Premise Products do not include software or hardware that Oracle or its agents may make available to a customer as part of an Oracle Cloud Service.
- “Oracle Cloud Services” or “Cloud Service” refers to an Oracle cloud service that is (1) provided to a customer on a subscription basis pursuant to the terms of an Oracle cloud agreement (such agreement and the applicable Cloud Services order(s) being collectively referred as the “Oracle Cloud Agreement”), and (2) delivered or managed by Oracle from an Oracle data center, the data center of an Oracle partner or agent, or from dedicated systems physically located in a facility operated by the customer, or its agents or subcontractors (e.g., Oracle cloud@customer services).
See the applicable limitations and Oracle’s recommendations
The fundamental differences between operating on-premises products and leveraging cloud services significantly impact the nature of the security testing activities that you can perform.
About Oracle Health
Oracle Health conducts continuous scanning throughout its platforms and annually contracts with an independent certified tester to perform penetration testing of its internet-facing assets. Oracle Health does not authorize customers to perform penetration tests against Oracle Health’s system. Such security tests could cause system interruptions across the Oracle Health multitenant environment and affect patient safety.
Additional penetration tests of applications may be conducted by Oracle Health security professionals with appropriate certifications, with testing scheduled according to developer prioritization and regulatory commitments.
Oracle Health customers (including former Cerner customers) are not allowed to perform security tests on their Oracle Health products and services. For more information, see Oracle Health and AI (OHAI) Security Program.
Oracle On-Premises Products and Oracle Cloud Infrastructure examples
The technical limitations to customers’ Security Testing for Oracle On-Premises Products apply to customer-managed deployments of software and hardware systems. However, customer’s Security Testing against Oracle Cloud Services delivered through dedicated hardware physically located in a customer-controlled facility (for example, Oracle cloud@customer services) is subject to the cloud limitations in this Testing Policy because these services are operated by Oracle. If a customer deploys and operates its On-Premises Products in Oracle Cloud Infrastructure, the On-Premises Products limitations apply to testing of the On-Premises Products and the Cloud Services testing limitations apply to testing of Oracle Cloud Infrastructure.
The table below provides examples of various use cases.
Oracle offerings |
Deployment & operation |
Applicable Customer Security Testing limitations |
|---|---|---|
| Oracle Database (traditionally licensed On-Premises Product deployed by the customer) | Data center operated, controlled or leased by the customer. | Testing limitations on the “On-Premises” page. |
| Oracle Database (traditionally licensed On-Premises product deployed by the customer) | Oracle Cloud Infrastructure tenancy managed and controlled by the customer. | On-premises testing limitations for the testing of the licensed product within the customer’s instance/tenancy. Testing is also constrained by the Oracle Cloud Infrastructure testing limitations on the “Oracle Cloud” page. |
| Oracle Database Cloud Services (deployed and managed by Oracle) | Cloud data center operated, controlled, or leased by Oracle. | Oracle Cloud Infrastructure testing limitations on the “Oracle Cloud” page. |
Other Oracle Cloud Services examples
The testing limitations which will apply to Security Tests of Oracle Cloud Services vary depending on the type of Cloud Services involved and where such services are deployed. The following table provides examples of different Cloud Service use cases:
Oracle offerings |
Deployment & operation |
Applicable Customer Security Testing limitations |
|---|---|---|
| Oracle Exadata Cloud Service | Cloud data center operated, controlled, or leased by Oracle. | Testing limitations on the “Oracle Cloud” page. |
| Oracle NetSuite | Cloud data center operated, controlled, or leased by Oracle. | Testing limitations on the “Oracle Cloud” page. |
| Oracle Fusion Applications | Cloud data center operated, controlled, or leased by Oracle. | Testing limitations on the “Oracle Cloud” page. |
| Oracle Health (former Cerner products) | All Oracle Cerner products and services. | Customers cannot perform security testing. Please see Oracle Health and AI (OHAI) Security Program. |
| Oracle Cloud for Industries (excluding Oracle Health) | Cloud data center operated, controlled, or leased by Oracle. | Testing limitations on the “Oracle Cloud” page. |
| Oracle Cloud Services deployed by Oracle as part of a multicloud solution in third-party cloud data centers such as Microsoft Azure, AWS or Google Cloud (each a “MultiCloud Provider”) | Cloud Services that Oracle deploys and manages within a cloud data center operated, controlled, or leased by MultiCloud provider. | Testing limitations on the “Oracle Cloud” page. Customers are also subject to the testing limitations in their separate agreement with the MultiCloud Provider. |
Customer Security Testing of Oracle software hosted by third-party cloud providers
Subject to the terms of the applicable Oracle Products Agreement, customers can opt to operate Oracle on-premises software products in third-party cloud environments. Security Tests of the On Premises Products are then subject to the terms described on the “On-Premises” page, and may be subject to additional testing restrictions pursuant to the customer’s agreement with the applicable third-party cloud provider.
More information
- “Compliance implications of operating in the cloud vs. on-premises” (Oracle Blog)
- Oracle Software Security Assurance
- Communications and Operations Management
- Oracle Corporate Security Practices
- Blog: Compliance implications of operating in the cloud vs. on-premises
- How to Report Security Vulnerabilities to Oracle