Weaknesses in an organization’s security posture can often be traced back to insecure software configurations, and not necessarily result from errors in design or coding in the software it uses. Examples of insecure configurations include sensitive data files configured by default to be accessible to all system users, or software with pre-configured administrator accounts with default passwords. Oracle’s Secure Configuration standard requires that products and cloud services have secure configurations by default.
Oracle products and services are required to be secure by default. Products and services should only install the essential components to perform their intended functions. Any features not intended for a production deployment, such as demonstration content, default accounts and debug tools, should not be installed by default. This is commonly referred to a minimizing the attack surface. By default, the product or service should only use secure protocols and algorithms.
Most Oracle products depend on other products or components. For example, if an application requires a database, the application developers should understand what database features are needed and recommend a custom installation of only essential components. Operating systems include many features or services that are not needed by all applications. The application developers must determine which services are required and disable any others.
Cloud services are deployed in a specific configuration, or a small number of configurations. The security of this configuration should be planned from the design phase, by the development team. The developers implementing the service need to be aware of the planned configuration. Testing must be performed on the product in this configuration, with pre-deployment tests performed in an environment identical to the production environment.
Cloud development teams are required to deliver the service to cloud operations teams in an automated, fully secured configuration. Use of containers, such as Docker and automated deployment pipelines, help development teams satisfy this requirement.
Development organizations are required to provide a capability where the security configuration of a cloud service can be evaluated against the secure configuration baseline in an automated manner, efficiently, consistently, and reliably across a fleet of instances.