Table of Contents

• Title and Copyright Information
• Preface
  • Documentation accessibility
  • Diversity and Inclusion
  • Related resources
  • Access to Oracle Support
  • Additional copyright information
• 1 Security overview
  • Application security overview
  • General security principles
    • Keep software up to date
    • Keep up to date on the latest Critical Patch Updates
    • Follow the principle of least privilege
    • Require secure session practices
    • Scan files for viruses prior to uploading them to Oracle InForm
    • Lock computers to protect data
    • Provide only the necessary rights to perform an operation
    • Design multiple layers of protection
    • web.config settings to secure Oracle InForm .NET projects
  • Password security principles
    • Configure strong passwords on the database
    • Require complex and secure passwords
    • Keep passwords private and secure
    • Configure your browser so that it doesn't remember or automatically fill passwords
    • Change passwords periodically
    • Configure updated database user passwords in Oracle InForm
      • PFDBAdmin (sysdba)
      • Oracle InForm admin DSN
      • Trial schema
      • Customer Defined Database (CDD)
      • Randomization Database (RND)
      • Oracle InForm Publisher Grantor
      • Oracle InForm Adapter user
• 2 Secure installation and configuration
  • Installation overview
    • Transport Layer Security (TLS)
    • Secure cookies
    • Add HTTP Strict-Transport-Security (HSTS) headers
    • Signing authorizations
      • Use digital certificates issued by Certificate Authorities
    • Install only the Oracle InForm features needed
    • About entering passwords
    • Configure strong administrator passwords
    • Close all unused ports
    • Disable all unused services
    • Disable unnecessary services provided by the operating system for Oracle InForm Publisher
    • Revoke unnecessary grants for Oracle InForm Publisher
    • Restrict network access to critical services for Oracle InForm Adapter
    • Secure Socket Layer (SSL) for Oracle InForm Adapter
    • Installation username and password for Oracle InForm Adapter
    • Close all unused ports and open necessary ports for Oracle InForm Adapter
    • Disable all unused Windows services for Oracle InForm Adapter
    • Restrict access to the Register Trial tool for Oracle InForm Adapter
  • Post-installation configuration
    • Restrict access to Oracle InForm server machines
    • Restrict access control for Oracle InForm Adapter
    • Restrict access to the file server for Oracle InForm Publisher
    • Configure strong user passwords
    • Configure rights and rights groups
    • Review administrative configurations periodically
    • Configure the pfreportinguser account
    • Change the pfuser password as required
      • Run pfadmin
      • Update IIS with the new pfuser password
      • Update COM+ applications with the new password
    • Change the PFCapAdmin password as required
• 3 Security features
  • In this chapter
    • Password configuration for user security
    • Passwords for new users
    • Login security
    • No data loss after a session transaction
    • Automatically inactivated user accounts
    • Restricted access to the application
  • Application security features
    • Users assigned to user types
    • Rights assigned to rights groups
    • Users assigned to rights groups
    • Users assigned to groups
    • Users assigned to sites
    • Display overrides
    • Changed Cognos user groups
  • Data security features
    • Restricted viewing of Protected Health Information
    • Audit trails for data security
    • Freezing and locking data
    • Considerations for using email
      • Considerations for configuring email notifications
      • Considerations for using automated emails for gathering subject data
      • Considerations for sending reports by email from the Cognos software
  • web.config settings to secure Oracle InForm .NET projects
  • web.config settings that secure the Oracle InForm Adapter web services
    • WCF—Enabling and disabling metadata
    • WCF—Turn off includeExceptionsDetailsInFaults attribute
  • Configure user authentication for applicable web services
  • Restricted viewing of Protected Health Information
• 4 Developement security overview
  • OWASP top ten security vulnerabilities 2021
  • Security awareness and education
  • The risk associated with build your own
  • Other aspects of security
  • Disclaimer
  • Secure development for the Oracle InForm Adapter
    • Overview of Oracle InForm Adapter secure development
    • Transport layer protection
    • Web service authentication
    • SQL injection
    • XML injection
    • Secure misconfiguration
• 5 Top ten security risks
  • Overview of the OWASP top ten list
    • #1 - Broken access control
    • #2 - Cryptographic failures
    • #3 - Injection
      • Valid content types
      • SQL injection
      • XML injection
    • #4 - Insecure design
    • #5 - Security misconfiguration
      • XML External Entities (XXE)
    • #6 - Vulnerable and Outdated Components
    • #7 - Identification and authentication failures
    • #8 - Software and data integrity failures
    • #9 - Security Logging and Monitoring Failures
    • #10 - Server-Side Request Forgery (SSRF)