3 Implementing Design Studio Security

This chapter presents security mechanisms related to use of Oracle Communications Design Studio.

User Authentication

Design Studio interacts with product server components for cartridge management functions. These functions require user authorization. Design Studio prompts users for credentials, as required. However, this information is not persisted and users are occasionally prompted again. For usability purposes, users are not prompted on every interaction and may not be prompted until after the application is restarted. Use a desktop lock policy to protect against unauthorized usage of cartridge management functions when users are away from their desks.

All Design Studio users should have personal access credentials for cartridge management functions. The credentials should be kept private and never be shared.

See Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server.

Design Studio Source Control

Cartridge designs may include information beneficial to a product server attack. It is important to limit access to Design Studio projects.

Employ a source control system to protect cartridge designs and enable authentication and access controls of the source control system.

Restrict access to cartridge designs to a restricted set of developers. Each developer should use personal authentication credentials when interacting with the source control system. Track all changes committed to the source control repository on a per-user basis to discourage inclusion of viral content in the cartridge implementation. Additionally, Oracle recommends that all submissions are reviewed by a second party.

See documentation for your source control system for details on configuring authentication and access control functionality.

System Security Maintenance

Administrators should perform regular activities and additional measures to further secure the system. To help maintain a secure system, administrators should:

  • Employ password policies for complexity, aging, and failed login attempts

  • Review access and activity logs for suspicious activity

  • Promptly maintain and periodically review user access and permissions

  • Regularly check for component updates

  • Review cartridge designs for insecure sensitive information

  • Validate systems are installed with the highest reasonable security settings

Regular assessment should be done for each component of the system, including archived components, source control interactions, and cartridge management functions. Administrators should be reviewing who is accessing what parts of the system and the validity of such actions.