Security Testing of On-Premises Products

This page provides recommendations and explains the limitations for Security Testing against Oracle On-Premises Products (software and hardware systems) managed by customers and typically deployed in a data center under their control. It also applies to testing performed by third parties on the customer’s behalf. You should review the “Helping you determine the applicable Security Tests limitations” section of the Overview page to determine if the limitations listed below apply to your intended Security Tests.

Testing principles

Oracle encourages customers to periodically perform security testing in the environments they control and periodically assess their security posture. Common security testing activities performed by customers against On-Premises Products include, but are not limited to:

  • Vulnerability assessment: an automated, systematic examination of an information system designed to review the adequacy of security measures, identify security deficiencies, provide data from which to assess the effectiveness of proposed essential or additional security measures, and confirm the operation of such measures.
  • Vulnerability scanning: security testing in which evaluators use automated tools to identify host, service and application attributes and associated vulnerabilities.
  • Penetration Testing: security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques known to be used by actual attackers.

Generally, Oracle Products Agreements do not prohibit a customer from conducting Security Tests of its Oracle On-Premises Products as part of its use of such Products in furtherance of its internal business operations. However, to the extent permitted by the applicable Oracle Products Agreement, any such testing of an Oracle Software must comply with usage restrictions specified in such agreement, which typically include prohibitions on:

  • Removing or modifying any program markings or any notice of Oracle’s or its licensors’ proprietary rights;
  • Causing or permitting reverse engineering, disassembly or decompilation of the programs (including, but not limited to, reviewing of data structures or similar materials produced by programs); and
  • Disclosing results of any program benchmark tests without Oracle’s prior written consent.

For testing limitations applicable to specific Oracle On-Premise Products, customers should review the terms and conditions of the Oracle Products Agreements under which they have acquired the subject products.

Recommendations to make the most of your testing effort

Preparing your test environment

It is not always possible or recommended to perform testing activities (for example, penetration testing) against production environments as these activities can negatively impact the environment being tested. For example, testing activities may result in outages, degradation of performance, loss of data integrity.

When performing security testing against a dedicated test environment Oracle recommends that:

  • The tested environment closely mirrors your production environment. This means that the tested environment makes use as much as possible of components and configuration (operating systems, databases, network configuration, integrations, and so forth) resembling those used in production.
  • Before testing, Oracle recommends that you implement all available deployment, administration, security and hardening guidance available on the Oracle Help Center and in Oracle Training and Certification courses.
  • Testing should be performed against systems making use of Oracle Products that are on current and actively-supported (ideally making use of the most recent Oracle releases) with the most recent Critical Patch Update applied. Critical Patch Update releases are generally cumulative and therefore, installing the most recent Critical Patch Update release will bring your Oracle product to a current security release level because all previously released patches for that release are included.

The Oracle recommendations on this page constitute general suggestions, and may not be complete or applicable to your specific deployment of On-Premise Products. Except to the extent otherwise specified in an Oracle Cloud Agreement under which you have engaged Oracle to manage your On-Premise Products deployed in an Oracle Cloud Service, you remain solely responsible for selecting how to test and determine the security of your Oracle On-Premise Products.

Reporting security findings to Oracle

If you believe you have identified an original security vulnerability in an Oracle On-Premises Product, you can report your finding to Oracle using the process documented at How to Report Security Vulnerabilities to Oracle.

Note that many vulnerability scanning tools do not accurately identify the versions of third-party components or open-source components used in Oracle product distributions. As a result, these tools may provide a list of known vulnerabilities (identified by their CVE identifiers) allegedly present in your Oracle product deployment. Oracle recommends that you visit the Critical Patch Updates, Security Alerts and Bulletins page to determine if these findings accurately apply to the versions of the Oracle products you are testing. The My Oracle Support article “Security Vulnerability FAQ for Oracle On-Premises Products” explains how to determine if a published CVE affects your Oracle product.

Customer Security Testing of Oracle software hosted by third-party cloud providers

Subject to the terms of the applicable Oracle Products Agreement, customers can opt to operate Oracle On-Premise software products in third-party cloud environments. Security Tests of the On Premises Products are then subject to the terms described on this page, and may be subject to additional testing restrictions pursuant to the customer’s agreement with the applicable third-party cloud provider.

More information