Secure Development Guide
Release 8.0
E98318-01
February 2019
The Secure Development Guide provides an overview of the security options for customers who will use Healthcare Data Repository (HDR) user database accounts and middle tier WebLogic user accounts to access the HDR APIs. Note that the set of recommendations in this document is not exhaustive and that no guarantee is given that implementing all the suggestions in this document provides sufficient protection for all security threats. The reason for this disclaimer is that you cannot delegate responsibility for secure application development to a third party or a single document. This document is to help developers be aware of the security tools and features that they can use to implement application security. This document does not replace a formal code review process.
Guidelines are presented here to assist in mitigating common security risks when customers are using the HDR APIs. The Open Web Application Security Project (OWASP) publishes the OWASP Top 10 to identify some of the most critical application security risks. This document briefly describes each Top 10 risk, provides the HDR mitigation strategies, and encourages our users to extend these strategies to secure their own applications and environments that use our APIs. Some of the web-specific Top 10 items don't apply to HDR; these are marked as Not Applicable.
This paper discusses the practices and strategies used by the HDR application to mitigate risks posed by the security vulnerabilities documented in the OWASP Top 10 – 2013. Customers using the HDR APIs should be aware of and protect against these threats as well.
For the OWASP Foundation's description of the OWASP Top 10 Application Security Risks see the following document: https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf.
SQL Injection can occur when untrusted data is used in a command or query. If an attacker sends hostile data, this can result in executing harmful commands or in unauthorized access of data.
The HDR APIs accept query parameters which could potentially contain hostile data. HDR code adheres to the recommended standards to avoid SQL Injection possibilities by using bind variables and by checking and validating the user input.
Customers using the HDR APIs to build applications should code carefully, using proper data validations and checking user input where needed.
The risk of insecure login credentials or session IDs increases with custom built authentication schemes.
The HDR APIs are secured using the standard WebLogic authentication mechanism. Follow the WebLogic recommendations on creating and configuring a suitable authentication provider where the HDR WebLogic user accounts will be stored. Refer to https://docs.oracle.com/middleware/12213/wls/SECMG/toc.htm.
Avoid building a custom authentication provider for using the HDR APIs. Use strong passwords and maintain security of account credentials.
Direct object references are insecure when an attacker is able to substitute a reference to an internal application object with a reference to another object that the user is not authorized to access and the application doesn't verify the user's authorization, but permits the unauthorized access.
User authorization and direct object references must be handled in the application code that uses the HDR APIs. All HDR APIs are accessible to any authenticated user. This user is an internal user and not the same as the users that log in to the application developed using the HDR APIs.
In software using the HDR APIs, a direct object reference from an untrusted source should verify the user authorization to access the object.
Attackers can take advantage when the security configuration is incorrect or incomplete and obtain unauthorized access to an application. The entire technology stack must be configured properly, and processes should be in place to detect misconfigurations—missing patches, accounts with default passwords, insecure settings in frameworks or libraries, etc.
Since HDR is an on-premise application, it must be deployed in a secure WebLogic instance.
Ensure that your WebLogic configuration where HDR is deployed does not contain opportunities for an attacker to gain unauthorized access to the system. Take care to secure default accounts, files or directories, servers, the network, and other data access channels of the HDR deployment and APIs.
Attackers may obtain unauthorized access to poorly protected sensitive data. Caution should be used to hide sensitive information from unauthorized users.
User authorization is not part of the HDR application itself and it is strongly recommended that the applications developed using the HDR APIs have their own user management, authorization and access control mechanisms to allow controlled access to data stored in HDR.
In some applications, the UI controls function-level access by exposing only the functionality for which access has been granted and hiding functionality where the user has not been granted access. If there is no database-level access control, then an attacker, who has partial access to the application, might gain access to an unauthorized function.
The software that uses the HDR APIs should properly enforce access privileges for application functions at the level of the business logic. The default behavior in an application should be to deny access to application functions unless the access is granted explicitly.
If an older version of a component with a known vulnerability is deployed in an environment, then an attacker who is aware of the vulnerability could take advantage and obtain unauthorized access.
HDR is built on a technology stack where patches and new releases offer improvements, including security-related modifications. The HDR application is an on-premise application and users should download and apply recommended security patches for the respective versions of components like WebLogic server and Oracle Database.
HDR users should follow the same policy of applying patches and updating to the latest versions of components being used, especially if security vulnerabilities have been reported in older versions.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Healthcare Data Repository Secure Development Guide, Release 8.0
E98318-01
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.