1. Development Security Guide
  2. How to address the OWASP Top10 in FLEXCUBE UBS
  3. Security Misconfiguration

3.3 Security Misconfiguration

This topic explains the security misconfiguration.

  1. Configuration Files

    Configuration files are securely placed inside the Classes folder of the WEB-INF folder which, is not publicly accessible.

  2. Exception handling in java

    Different types of exceptions can rise in the application. Java exceptions are handled using try-catch blocks available in java. Sometimes we use the Throw statement to throw an exception that is caught by the catch block. Caught exceptions will be written into the log files for debug purposes whenever required. Whenever an exception occurs in the application, proper information is used to send to the front end user by showing an alert.

  3. Exception handling in Oracle Database

    Database exceptions handled using EXCEPTION statement available in PL/SQL. Caught exceptions will be written into the log files for debug purposes, and a proper error message is created to send the same in response to the user.

  4. Package Lockout Situation Handled in Backend

    The application will be hanged in an oracle system package lockout situation. Locked objects will be released manually using SQL scripts or through database restart. We have handled the cursor lock-out problem in the required packages.

  5. Auto Generated Password

    The password is generated by the system in accordance with the password policy. The salt is also be generated every time the password is changed by using a predefined algorithm.

    The salt concatenated with an auto-generated password and SHA-512 hash applies on the resultant which results in the password digest.

    Once the successful generation of password digests both salt and password digest are stored in the DB.

  6. Custom Password

    The password is keyed in by the administrator/user in accordance with the password policy. The salt is generated every time the password is changed by using a predefined algorithm.

    The salt concatenated with an auto-generated password and SHA-512 hash applies on the resultant which results in the password digest.

    Once the successful generation of password digests both salt and password digest are stored in the DB.

    Oracle FLEXCUBE Universal Banking does not provide any default user/password. User and password need to be created at the time of installation.

  7. Sand Box for File Upload

    The application uses a sandbox for placing files that are uploaded via the signature/image upload screen. The sandbox is placed in a specified location (the location will be specified in the properties file) on the server.

  8. BI Publisher Reports – Generation and Access

    The application uses a sandbox for placing the generated reports file into a sandbox area. The sandbox is placed in a specified location (the location will be specified in the properties file) on the server. The application validates if the user has explicit Rights to generate Reports.

Parent topic: How to address the OWASP Top10 in FLEXCUBE UBS