1. Implementation Guide
  2. Appendix: Secure Development Guide

A Appendix: Secure Development Guide

The web service APIs provided by Supplier Evaluation are designed to be secure by default. When consuming these services, there are recommended best practices for the clients which call them. These development and usage guidelines are provided to maintain secure use, and preserve integrity throughout the system domain.

The Supplier Evaluation web services are secured using OAuth 2.0. In order to use them, calling clients require an External System within Supplier Evaluation and a corresponding Application within IDCS with which to authenticate. Transport encryption is enabled using TLS v1.2 as a minimum standard.

Best Practices for Web Service Use

This section describes some best practices.

Store External System Credentials Securely

In order to grant access to web services, credentials must be set up within Supplier Evaluation in an External System record and a corresponding Application record in IDCS. These credentials, used by the client to call web services, should be managed securely in the client's domain. It is advised not to store passwords in plaintext, either in a file or a database table.

Configure External Systems Permissions Appropriately

The permissions of External Systems are configurable, and determine which services may be accessed. The permissions model governs not only the service which is accessible (for example, The Product Service), but also the endpoints (or actions) permissible on that service (for example, Read a Product or Add a Product).

It is recommended that External Systems are set up with the minimum authorities required to perform their required function. External System records should have granular permissions wherever feasible, rather than be granted access to many disparate functions. This minimizes the level of disclosure possible if credentials are compromised.

Maintain Strong Passwords for External System Records

Configurable parameters within the Supplier Evaluation Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) tenant govern the strength of passwords used for External Systems and the rules surrounding their expiry. These parameters are set to values which strike a suitable balance between usability and security by default.

It is advised that should a client wish to change any of these parameter values, it should only be to increase security. Changes which slacken security are not recommended.

Those responsible for maintaining clients which consume services should note that passwords for External Systems expire in the same manner as those for regular application users.

Note:

A process for updating the credentials used by the client should be put in place, as IDCS or OCI IAM does not send automated notifications of pending password expiry.

For full details of this functionality, and of External Systems in general, see the Oracle Retail Supplier Evaluation Cloud Service Administration Guide.

Make Use of the Web Service Log

Intrusion detection mechanisms are employed within the hosted environment of Supplier Evaluation to capture to prevent malicious behavior at the network level. In addition to this, protections against XML injection attacks exist at the logical tier.

The application also provides a Web Service Log for users with sufficient permissions to see what calls have been made to its services. This provides a user-centric audit of the web service activity within the application, and can help clients monitor usage, or gather metrics to understand usage behavior further.

Ensure Your Client Supports TLS v1.2 or Higher

All Supplier Evaluation deployments require communication over HTTPS, and use TLS v1.2 as a minimum encryption protocol. Clients of the web service must be developed within a technology which supports TLS v 1.2 or higher. For example, Java 7 does not support TLS v1.2 out of the box.

Limit the Size of Web Service Payloads

The web services are designed for continued, real-time use. It is recommended that calls to the services are made in a manner to retrieve or send only what is required.

Where larger result sets are necessary however, provision is made within the web service APIs to allow paging of data. By providing an offset and a page size, it is possible to retrieve a page of results at a time.