| Oracle® Retail POS Suite Security Guide Release 14.1 E54480-01 |
|
 Previous |
 Next |
This chapter provides information on extending and customizing the security features of the Oracle Retail POS Suite applications.
Sensitive data must not be displayed in log files. If you are modifying the applications, for example for device integration, do not log sensitive data for debugging or testing purposes. Do not assume that you can prevent the logging based on the log level because the log level can be easily changed. Avoid log statements that might compromise sensitive data.
|
Caution: It is not always obvious in code when sensitive data is being logged since it could be logged implicitly rather than explicitly. |
Be aware of the following areas when coding:
The use of Java toString() methods—If you log the contents of an object for debugging or information purposes, be sure not to log any sensitive data it might contain. You can either skip a sensitive attribute when creating the toString() method, or you can replace sensitive data with text such as "PROTECTED DATA."
Logging of XML messages—Sometimes an entire XML message may be written to a log, so be careful that the message does not contain sensitive data.
Device driver code—Logging in this code is a particularly critical area to watch. Whether it is your code or third-party vendor code, be sure that drivers do not log any sensitive data they may read.
Oracle Retail has created a training program to train retailers, resellers, and integrators on how to implement the applications securely into a production environment. The Oracle University course is D64295GC10. The Oracle Retail POS Suite Software Development Methodology includes a review and revision of training materials for each release.
This section discusses the common points for extension or customization.
The following figures show information about the Encryption API.
Each application accesses the external key management application using the Spring Framework. Oracle Retail Central Office, Back Office, and Returns Management, which are JEE applications, expect the key management client JARs to be made available using the JCA container. Oracle Retail Point-of-Service, a standard Java application, accesses them directly using the classpath.
