1. Development Security Guide
  2. Security Misconfiguration

2.5 Security Misconfiguration

  1. Configuration files

    Configuration files are securely placed inside the Classes folder of the WEB-INF folder which is not publicly accessible.

  2. Exception handling in java

    Different types of exceptions can rise in application. Java exceptions handled using try catch blocks available in java. Sometimes we use the Throw statement to throw an exception which is caught by the catch block. Caught exceptions will be written into the log files for the debug purpose when ever required. Whenever any exception occurs in application, proper information used to send to the front end user by showing alert.

  3. Exception handling in oracle database

    Database exceptions handled using EXCEPTION statement available in PL/SQL. Caught exceptions will be written into the log files for the debug purpose. And proper error message created to send the same in response to the user.

  4. Package lockout situation handled in backend

    Application will be hanged in an oracle system package lockout situation. Locked objects will be released manually using SQL scripts or through database restart.

    We have handled cursor lock out problem in the required packages.

  5. Auto generated password:

    The password is generated by the system accordance to the password policy. The salt is also be generated every time the password is changed by using predefined algorithm.

    The salt concatenated with auto generated password and SHA-512 hash applies on the resultant which results the password digest.

    Once the successful generation of password digests both salt and password digest is stored in the DB.

  6. Custom password:

    The password is keyed in by the administrator / user accordance to the password policy. The salt is generated every time the password is changed by using predefined algorithm.

    The salt concatenated with the password input and SHA-512 hash applies on the resultant which results the password digest.

    Once the successful generation of password digests both salt and password digest is stored in the DB.

    Oracle Banking Trade Finance does not provide any default user/password. User and password needs to be created at the time of installation.

  7. Sand Box for File Upload

    The application uses a sandbox for placing files that are uploaded via the signature/image upload screen. The sandbox is placed in a specified location (the location will be specified in the properties file) on the server.

  8. BI Publisher Reports – generation and access

    The application uses a sandbox for placing the generated reports file into a sandbox area. The sandbox is placed in a specified location (the location will be specified in the properties file) on the server. The application validates if the user has explicit Rights to generate Reports.