Release 3.2
E87268-01
 Home |  Book List |  Contents |  Contact Us |
Go to main content
| Oracle® Healthcare Translational Research Secure Development Guide Release 3.2 E87268-01 |
|
| PDF · Mobi · ePub |
Secure Development Guide
Release 3.2
E87268-01
May 2017
The Oracle Healthcare Translational Research (OHTR) Secure Development Guide provides guidance on how to avoid introducing security flaws when developing code for applications that use the OHTR REST APIs and while using these applications. It helps developers be aware of the security tools and features they can use to implement application security.
This set of recommendations is not exhaustive and does not replace a formal code review process.
The Open Web Application Security Project (OWASP) publishes the OWASP Top 10 Application Security Risks to identify some of the most critical risks. This document briefly describes the top risks that apply and provides mitigation strategies. Users are encouraged to extend these strategies to secure their own applications and environments that use OHTR REST APIs.
This guide describes the practices and strategies used in OHTR to mitigate security vulnerabilities and is based on the OWASP Top 10 Application Security Risks as available at https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf.
The Top 10 risks include:
SQL Injection can occur when untrusted data is used in a command or query when an attacker adds SQL commands that are executed against the connected database. To protect against this, OHTR does the following:
Avoids dynamic SQL generation.
Uses bind variables.
Validates user input when possible.
You should extend this approach when you use the OHTR REST APIs.
The OHTR UI uses OPSS for authentication. OHTR REST API applications should take advantage of WebLogic's user authentication functionality. Follow these guidelines:
Avoid building a custom authentication system. The risk of insecure login credentials or session IDs increases with custom built authentication schemes.
Do not store passwords (including third party) in the database, even though it is encrypted. Instead, store them in a WebLogic credentials store.
Provide appropriate error messages: do not provide specific or detailed information on why the authentication failed. You may provide the details in an application log file for Support.
Use TLS 1.2 for the traffic between user browser and the application server in a production environment.
Use strong passwords and maintain security of account credentials.
Not applicable for OHTR REST APIs.
In the OHTR UI, this is handled by using ADF security.
Not applicable to OHTR REST APIs or the OHTR UI.
Attackers can take advantage when the security configuration is incorrect or incomplete and obtain unauthorized access to an application. The entire technology stack must be configured properly, including ADF, and processes should be in place to detect misconfigurations.
Ensure that your application does not contain opportunities for an attacker to gain unauthorized access to the system. Take care to secure default accounts, files, directories, servers, the network, and other data access channels outside of the API domain. See the OHTR Security Guide.
Be careful to hide sensitive information from unauthorized users.
Query predicates One of the best ways to ensure sensitive data is kept that way is to retrieve it from the database only on a "need to know" basis. This is much safer than fetching all the data to the middle tier and then filtering or redacting information that the current user is not supposed to have access to.
Use proper data authorization. In OHTR, the Virtual Private Database (VPD) is used to protect sensitive data.
In the OHTR UI, do not increase the session timeout.
The OHTR UI uses ADF Faces to lock down the data access to the UI layer by dynamically controlling UI elements.
Use the defense in depth design pattern. Use authorization checks to guard application functionality that executes methods and operations. Never assume that a specific method will only be called within the context that it was initially designed for.
Users must have an appropriate application role to be able to execute a particular OHTR REST API.
In the OHTR UI, all the functions are protected by ADF Custom Resource Permissions and Security EL expressions, leveraging the ADF Security Context.
Cross-site request forgery is the risk of a third-party request to a web application on behalf of an authenticated user. This is taken care of in the OHTR UI by using the ADF Framework.
Not applicable to OHTR REST APIs.
If an older version of a component with a known vulnerability is deployed in an environment, then an attacker who is aware of the vulnerability can take advantage and obtain unauthorized access. To guard against this:
Use only third party components that are approved for use by Oracle Corporation.
Adopt patches and vendor updates as quickly as possible, especially if a patch contains a security-related fix. Use the latest version available that has been approved to use.
Be proactive about keeping up to date with releases of Oracle ADF, WebLogic and Oracle Critical Patch Updates.
Not applicable for the OHTR UI or REST APIs, as these applications do not do forwards or redirects.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Healthcare Translational Research Secure Development Guide, Release 3.2
E87268-01
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.