noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Loomis Sayles Global Equity[...]

LSGE Fund Update - September 2024 (amended)
Bern University of Applied[...]

Tech for everyone – instead of apps for old age
Bern University of Applied[...]

Oui à la technologie pour tous âges, non à la ségrégation par les apps

Oracle Corporation

10/21/2024 | Press release | Distributed by Public on 10/20/2024 21:39

Supporting secure API access in Oracle Fusion Cloud Applications

When it comes to accessing Oracle Fusion Cloud Applications APIs, choosing the right authentication method is key to safeguarding your data. In such scenarios, you have three standards to choose from: Basic authentication over Secure Socket Layer (SSL), Security Assertion Markup Language (SAML) 2.0 bearer tokens, or JSON Web Token (JWT) in the HTTP header over SSL. Each method provide different levels of security, but basic authentication is often considered the least secure option. For more details about SAML2.0 and JWT and how to use them, see REST API for Oracle Fusion Cloud Financials.

Understanding the limitations of Basic Authentication

While basic authentication is simple to implement, it comes with significant security drawbacks that users can't ignore. This method transmits credentials encoded in Base64, which can be easily decoded and doesn't provide strong encryption. It results in an inherent risk of exposing sensitive information, especially if the transport layer (TLS) is compromised. Managing passwords with basic authentication can be challenging because of issues with rotation, reusability, and enforcement of strong password policies. Given these easily exploitable vulnerabilities, we strongly discourage basic authentication is strongly discouraged and don't consider it an optimal choice for securing API access.

Best practices: Restricting API access

Given the security risks associated with basic authentication, implementing extra safeguards is crucial. One of the most effective measures is restricting access to Oracle Fusion Cloud Applications APIs based on known IP addresses. By setting up IP filtering, you can limit access to only trusted sources, which helps reduce the risk of unauthorized access. For a detailed guide on how to implement IP filtering, refer to the instructions.

However, in environments with increased security requirements or where access from unknown IPs is common, IP filtering alone might not be enough. To help strengthening your security posture further, consider the option of disabling basic authentication for API access entirely for all IPs or selective based on classless CIDR blocks or countries. For example, this setup allows you to only permit basic authentication from your internal corporate network and block it from all other IPs. You can implement this measure through the WAF for SaaS service, which is included by default in every Fusion Applications environment.

: Architecture diagram for web application firewall (WAF), software as a service (SaaS), and a load balancer block malicifc traffic to Fusion Applications.

Implementing basic authentication restrictions

To disable basic authentication, you can submit a service request to Oracle. When submitting the service request, specify the problem type as Fusion Application Security, including security console, login, SSO, web application firewall (WAF), and cyber security. For detailed guidance on how to raise this service request, see this ticket from Oracle Support. This change doesn't impact regular users logging in through the user interface. Instead WAF for software as a service (SaaS) specifically targets and blocks traffic using basic authentication for API access only.

Before rolling out this change in a production environment, we highly recommend testing in a staging or test environment. Review all existing integrations to ensure that no legacy systems rely on basic authentication because the differences lead to unintended disruptions.

Conclusion: A multilayered approach to API security

Blocking basic authentication is a key measure in boosting the security of your Fusion Applications APIs. However, it's just one part of a comprehensive security strategy that should also include IP restrictions and the use of secure authentication mechanisms, such as SAML 2.0 and JWT. Together, these measures create a more robust security posture and resilient defense, helping \ safeguard your APIs from a wide range of potential threats.

By embracing a layered security approach, you can significantly reduce the risk of unauthorized access and protect sensitive data within your Oracle Fusion Cloud Applications. For more details on implementing these security measures, explore the following resources and the links provided throughout this post:

REST API for Oracle Fusion Cloud Financials

Configure Basic Authentication Using Client Credentials

Employing Defense-in-Depth Security Strategy using WAF for Fusion

How to raise a technical service request for WAF

Sharing and Personal Tools

Please select the service you want to use:

Back

related announcements

News

Technology

Oracle Corporation

Supporting secure API access in Oracle Fusion Cloud Applications

Sharing and Personal Tools