| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
This chapter describes how to test the security of your Siebel Business Applications deployment. It includes the following topics:
Carry out security-risk assessments of your Siebel Business Applications and infrastructure (for example, the operating system and third-party products) periodically to make sure that security policies are being adhered to and to rectify any security vulnerabilities that are identified. In particular, perform extensive security testing of any customizations you make to your Siebel Business Applications before you implement the customizations in a production environment.
It is recommended that you scan your Siebel Business Applications deployment periodically using vulnerability assessment tools to locate security weaknesses. Use a focused approach for risk mitigation rather than focusing on the identification of every possible attack which can be time-consuming. Various tools are available for performing vulnerability assessments:
Public domain tools, for example, Nessus, Nmap, COMRaider, FileFuzz, and CIS Tools (www.cisecurity.org).
Other commercially available tools for which an up-to-date vulnerability database is maintained by the vendors. The following tools are generally available for testing system security:
WebInspect
NTOSpider
You can use the Common Vulnerability Scoring System (CVSS) to determine the characteristics and severity of a security vulnerability and to assess its impact on your environment. The CVSS is an open, industry-standard method used to score system vulnerabilities.
In the CVSS, vulnerabilities are assessed on three measures: base properties, temporal properties, and environmental properties. The resultant composite score represents the overall risk posed by the vulnerability in your environment. Using the CVSS can help you determine the severity of vulnerabilities that you find and therefore help determine the priority given to resolving them.
The CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST). For additional information on using the CVSS, go to the FIRST Web site at
A calculator for scoring vulnerabilities using the CVSS method is available from the National Vulnerability Database Web site at
If making a copy of the data in your Siebel production database for security testing or development purposes, then mask sensitive data.
Data masking hides sensitive information by replacing it with similar-looking but nonauthentic data. Effective methods of data masking protect the original data by ensuring it cannot be recovered from the masked data while providing a version of the data that is functionally equivalent for testing purposes. Data, such as personal details and credit card information, must always be masked when used outside the production environment.
Siebel Business Applications do not provide data masking features; this functionality is provided by the RDBMS vendor. The Oracle Data Masking pack for Oracle Enterprise Manager provides data masking capabilities. If you are using an MS SQL or DB2 RDBMS, then refer to the vendor documentation for information on data masking products.
When using a copy of production data for testing or development purposes, you have to mask sensitive data but also ensure that the original data is not changed so much in the masking process that it no longer allows a valid test of the functionality being verified.
The most appropriate method of masking data, without substantially changing it, varies according to the type of the data. The following are some methods that can be used for masking different types of data:
Numbers, such as credit card numbers and product numbers. Rotate the numbers in the original data, and add a random value.
Dates and times. Add or subtract a fixed amount of time to the original date or time value. Make sure that the result of the operation is still a valid date or time, and that start dates in the original data still occur before end dates in the original data.
Names, such as customer names or personal names. Replace characters in names in the original data using a fixed or random substitution scheme. Be careful that the substitution does not increase the length of the resultant name values or buffer overflows can occur.
Status values, such as Active or Suspended. Change each of the values to some other value picked from a list of known values. For example, a customer's status can be changed from Active to Suspended, but not to Inactive if the term Inactive is not recognized by the application.
