Common Security WeaknessesIn our ex

Common Security Weaknesses
In our experience, many organisations
struggle to implement robust security and
controls. UK Oracle User Group’s magazine
‘Oracle Scene’ recently published an article
written by Deloitte discussing the most
common security weaknesses in Oracle
applications3. A summary of the main issues
raised in the article is provided below:
l Support team access is often excessive
with many organisations using
access profiles that breach traditional
segregation of duties principles;
l Most organisations do not have defined
segregation of duties policies. Where
segregation of duties principles have
been defined, many organisations have
no preventative or detective controls to
enforce these principles;
l Oracle does not provide standard
reports to identify actual segregation
of duties conflicts4. Few organisations
have defined their own bespoke reports
to address this issue;
l Few organisations configure auditing to
capture changes to high risk information,
such as supplier bank account details; and
l Many organisations have not defined
exception reports to monitor security
exceptions or incidents.
In addition to weaknesses at the application
level, database security is another critical area
which is often overlooked. All information in
Oracle applications is held in an underlying
Oracle database. If the database is not
adequately secured, information can be accessed and modified directly at the database
level, by-passing all application level controls.
Typical database security issues include
the use of generic user accounts, inadequate
password controls and no auditing to monitor
the activity of database administrators.