DevSecOps in an Oracle E-Business Suite Environment March 25, 2021 Stephen Kost Phil Reimann Chief Technology Officer Director of Business Development Integrigy Corporation Integrigy Corporation About Integrigy ERP Applications Databases Oracle E-Business Suite Oracle, Microsoft SQL Server, and PeopleSoft DB2, Sybase, MySQL, NoSQL Products Services Verify Security Assessments AppSentry Security Validates ERP, Database, Sensitive Data, Pen Testing ERP Application and Database and Audits Security Auditing Tool Security Ensure Compliance Assistance Compliance SOX, PCI, HIPAA, GLBA AppDefend Protects Enterprise Application Firewall Oracle EBS Build for Oracle E-Business Suite & PeopleSoft Security Design Services and PeopleSoft Security Auditing, Encryption, DMZ Integrigy Research Team ERP Application and Database Security Research What are “DevOps” and “DevSecOps”? code deploy operate Dev Ops build test monitor Development – Operations ▪ Software Development and IT Operations philosophies, practices, and DevOps tools to accelerate development, provide continuous delivery, and improve software quality Development – Security – Operations DevSecOps ▪ Incorporation of a security foundation into DevOps Why DevSecOps for Oracle E-Business Suite? ▪ Oracle E-Business Suite is a highly complex application and technology environment – Oracle EBS is not well understood by IT Security – Often no security focus on customizations ▪ Many security vulnerabilities and issues are introduced in Oracle EBS through customizations and extensions Average # of Vulnerabilities Types of Vulnerabilities per Assessment SQL Injection 2.2 Cross-Site Scripting (XSS) 0.6 XML Issues 0.3 (e.g., XML entity attacks) APPS Password Issues 1.7 Authorization/Authentication Issues 2.8 Other Issues 1.2 Source – Integrigy Customization Assessments 2018 – 2021 Oracle E-Business Suite DevSecOps Challenges ▪ Web, application, and database development Highly Complex ▪ 886 security vulnerabilities have been patched in Application Oracle code between 2005 and 2021 – if Oracle can’t Environment do it perfectly, can you? ▪ Development is focused on customizations Customization vs ▪ Each customization is a small development project Development ▪ Pinpoint development objects created in a multiple technologies and languages ▪ Development is done at multiple layers of the technology stack – web, application, database Open Development ▪ Some development is done inside the application Environment ▪ Easy to have poor version control and weak change management DevSecOps Reality – ERP Staffing Ratios Developers : Operations : IT Security (Dev) (Ops) (Sec) 25 : 10 : 1 Source – Integrigy ERP Security Staffing reviews by hours DevSecOps Principles ▪ “Shifting left” is moving security to earlier stages of the development cycle Shift Left ▪ Ensure security standards and best practices are met when code is first developed ▪ Automated code analysis, security testing, and compliance Automation verification ▪ Automation reduces the burden on IT Security ▪ Security is evaluated at multiple points in the development Continuous cycle through both automated and manual processes Feedback ▪ Security vulnerabilities are fixed immediately early in the development cycle DevSecOps Benefits ▪ Identify and eliminate security vulnerabilities ▪ Automate security vulnerability identification processes to Improve allow IT Security to focus on design, implementation, and Security infrastructure ▪ Security end-to-end rather than an afterthought Speed ▪ Minimize security bottlenecks in the development process Delivery ▪ Extend security into development ▪ Identify and fix security vulnerabilities early in the Reduce Time development cycle and Effort ▪ Fix during development rather than during testing to Fix ▪ Security testing and feedback when code is committed instead of just when tested Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate Dev Ops 3. build 4. test 8. monitor 4. test 5. release 8. monitor ▪ Dynamic code ▪ CI/CD deployment ▪ Auditing and logging analysis (DAST) pipeline ▪ File integrity monitoring ▪ Test data scrambling ▪ Release approvals ▪ Sensitive data scanning Oracle E-Business Suite DevSecOps 2. code 7. operate ▪ Secure development 6. deploy ▪ Web application standards 1. plan ▪ Change management firewall (WAF) ▪ Version control ▪ Secure code ▪ Automated ▪ Security patching ▪ Secure by design training deployments ▪ Penetration testing ▪ IDE security plugins ▪ Secure architecture ▪ Configuration 3. build ▪ ▪ Threat modeling hardening Vulnerability ▪ Static code scanning analysis (SAST) ▪ Secrets scanning ▪ Peer code reviews 2. code 6. deploy 7. operate