I have been working with Oracle WebLogic Server for quite some time. I can count on my hands the number of deployments where security was a concern. This is a first post of a series that focusses on securing WebLogic Server. This series is inspired by the work I am currently doing with a client in the retail industry. The client has two primary concerns, namely Personally Identifiable Information (PII) and Payment Card Industry Data Security Standard (PCI DSS) compliance. More specifically, Oracle Fusion Middleware (FMW) products such as WebLogic Server, SOA Suite and Oracle Service Bus may be used to process and transport this type of data.
There is plenty of information on securing WebLogic Server out there. Why am I blogging on this topic you may ask? One, I believe there are a lot of poor practices when it comes to information security. I am a big believer that securing WebLogic Server has to be approached holistically. I will start from the installation, and build from there all the way to operations, administration and management (OA&M). Two, what you will find in these posts are actual strategies I am helping real clients implement. If they are concerned about information security why shouldn’t you? Three, soon WebLogic Server will be the foundation for many of Oracle’s products. You would be surprised of how quickly a disgruntled employee could literally breach a WebLogic Server environment. Would you want them to exploit this to gain access to other applications, custom developed or commercial off the shelf (COTS) products? In my next post, I will provide a roadmap for this series. In other words, I will provide a list of the topics I intend to cover in the short term.
In closing, as advised by Gideon T. Rasmussen, in his article Implementing Information Security: Risks vs. Cost, a healthy dose of paranoia may be warranted here. Paranoia is definitely on the menu!
