2 Determining Your Security Needs

The security requirements you establish for your WebLogic Server environment are based upon multiple considerations, such as the types of resources hosted on WebLogic Server that need to be protected, the users and other entities that access those resources, recommendations from Oracle as well as in-house or independent security consultants, and more.

This chapter describes how you can determine your security needs and make sure that you take the appropriate security measures before you deploy WebLogic Server 12.1.3 and your Java EE applications into a production environment. This chapter includes the following sections:

• Understand Your Environment

• Hire Security Consultants or Use Diagnostic Software

• Read Security Publications

• Install WebLogic Server in a Secure Manner

Understand Your Environment

The WebLogic Server environment includes not only the resources that are hosted on WebLogic Server, but also the software systems and other entities with which those WebLogic Server resources interoperate, such as databases, and load balancers, and the users who have access to that environment.

To better understand your security needs, ask yourself the following questions:

• Which resources am I protecting?

  Many resources in the production environment can be protected, including information in databases accessed by WebLogic Server and the availability, performance, applications, and the integrity of the Web site. Consider the resources you want to protect when deciding the level of security you must provide.

• From whom am I protecting the resources?

  For most Web sites, resources must be protected from everyone on the Internet. But should the Web site be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the WebLogic Server environment? Should the system administrators have access to all WebLogic resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.

• What will happen if the protections on strategic resources fail?

  In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Web site. Understanding the security ramifications of each resource will help you protect it properly.

Hire Security Consultants or Use Diagnostic Software

Whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. Oracle Consulting offers services and products that can help you to secure a WebLogic Server production environment. See the Oracle Consulting page at https://www.oracle.com/consulting/.

Read Security Publications

Read about security issues:

• Register your WebLogic Server installation with My Oracle Support. By registering, Oracle Support will notify you immediately of any security updates that are specific to your installation. You can create a My Oracle Support account by visiting http://www.oracle.com/support/index.html.

• For security advisories, refer to the Critical Patch Updates and Security Alerts page at the following location:

  http://www.oracle.com/technology/deploy/security/alerts.htm

  If you have an installation of WebLogic Server 10g Release 3 (10.3) or earlier, visit the BEA Security Advisories Archive Page at https://www.oracle.com/security-alerts/beaarchive.html.

• When developing your web applications, ensure that they minimize the risks identified in the OWASP Top Ten Web Application Security Risks at https://owasp.org/www-project-top-ten/.

Install WebLogic Server in a Secure Manner

Currently, the WebLogic Server installation includes some additional WebLogic Server development utilities (for example, wlsvc). These development programs could be a security vulnerability. The following are recommendations for making a WebLogic Server installation more secure:

• Do not install the WebLogic Server sample applications. When installing WebLogic Server, make sure that the option to install the Server Examples component is not selected.

• Do not run WebLogic Server when configured in development mode. Rather, you should make sure WebLogic Server is configured to run in production mode. Production mode sets the server to run with settings that are more secure and appropriate for a production environment.

  Note:

  When WebLogic Server is configured in development mode, certain error conditions, such as a misbehaving application or an invalid configuration of WebLogic Server, may result in a trace stack being displayed. While error responses generally are not dangerous, they have the potential to give attackers information about the application or the WebLogic Server installation that can be used for malicious purposes.