Table of contents
- 1. Code Review and Peer Review
- 2. Static Code Analysis
- 3. Automated Unit Testing
- 4. Dynamic Application Security Testing (DAST)
- 5. Continuous Integration and Continuous Deployment (CI/CD)
- 6. Automated Code Formatting and Standards Enforcement
- 7. Security Testing and Vulnerability Management
- 8. Configuration and Change Management
- 9. Logging and Monitoring
- 10. Compliance Auditing and Reporting
- 11. Documentation and Traceability
- 12. Supply Chain Security
The evolving cybersecurity landscape is driving significant changes in software development compliance and supply chain defense. Oracle APEX and PL/SQL present a unique challenge as they straddle the line between application and database, often leading to vulnerabilities due to their classification primarily as a database. Below is a list of critical topics and their relevance to PL/SQL.
1. Code Review and Peer Review
NIST SP 800-218 (Secure Software Development Framework - SSDF): Mandates code review practices to identify security vulnerabilities.
Action: Implement mandatory peer code reviews for all PL/SQL code. Ensure that the review process is documented and that reviewers check for security flaws, coding standards compliance, and logic correctness.
2. Static Code Analysis
NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations): Requires the use of automated tools to detect potential security issues in the code.
CISA Guidance: Encourages the use of static analysis tools to identify vulnerabilities early in the development process.
Action: Integrate static analysis tools (e.g., SonarQube, Fortify) into the development pipeline to automatically scan PL/SQL code for security vulnerabilities, code smells, and adherence to coding standards.
3. Automated Unit Testing
Executive Order 14028 (Improving the Nation's Cybersecurity): Calls for robust testing practices, including automated testing, to ensure software security and reliability.
NIST SP 800-218: Recommends the use of automated testing frameworks.
Action: Use utPLSQL or similar frameworks to create and maintain comprehensive unit tests for all PL/SQL code. Ensure that these tests are automatically executed as part of the CI/CD pipeline.
4. Dynamic Application Security Testing (DAST)
CISA and NIST SP 800-53: Highlight the importance of testing applications dynamically to detect security vulnerabilities during runtime.
Action: Conduct DAST on the application environment where PL/SQL code is deployed to identify security issues that may only appear during execution, such as SQL injection or buffer overflows.
5. Continuous Integration and Continuous Deployment (CI/CD)
NIST SP 800-218: Recommends the integration of automated security and quality checks within the CI/CD pipeline.
Executive Order 14028: Emphasizes the use of automated tools and processes to enforce security throughout the software lifecycle.
Action: Integrate PL/SQL code testing, static analysis, and security scanning into the CI/CD pipeline to ensure that code changes are automatically tested and verified before deployment.
6. Automated Code Formatting and Standards Enforcement
NIST SP 800-218: Advocates for consistent coding practices to reduce errors and vulnerabilities.
Action: Utilize automated tools for code formatting (e.g., SQLcl, PL/SQL Developer) and enforce coding standards such as the Trivadis PL/SQL & SQL Coding Guidelines. Ensure that code conforms to established guidelines and standards before it is committed to the codebase.
7. Security Testing and Vulnerability Management
NIST SP 800-218 & SP 800-53: Stress the importance of identifying and remediating vulnerabilities in software.
CISA Guidance: Promotes proactive vulnerability management through regular scanning and remediation efforts.
Action: Conduct regular security testing, including vulnerability scans, penetration testing, and security audits on PL/SQL code. Remediate identified vulnerabilities promptly.
8. Configuration and Change Management
NIST SP 800-53: Requires the implementation of configuration management to control changes to software code.
Action: Implement strict version control and change management policies for PL/SQL code. Use tools like Git to track code changes and ensure that all modifications go through the appropriate review and approval process.
9. Logging and Monitoring
NIST SP 800-92 (Guide to Computer Security Log Management): Recommends logging and monitoring of application activities for security purposes.
Action: Ensure that PL/SQL code includes comprehensive logging of significant actions, errors, and security-related events. Implement monitoring systems to analyze these logs and alert on suspicious activities.
10. Compliance Auditing and Reporting
NIST SP 800-53 & CISA: Recommend regular auditing and reporting to ensure compliance with security policies and standards.
Action: Perform regular audits of PL/SQL code and its associated processes to ensure compliance with relevant standards and policies. Generate compliance reports to document adherence and identify areas for improvement.
11. Documentation and Traceability
NIST SP 800-53: Stresses the importance of documentation for maintaining traceability and accountability.
Action: Maintain detailed documentation for all PL/SQL code, including test cases, review logs, security assessments, and change histories. Ensure that documentation is easily accessible and kept up to date.
12. Supply Chain Security
Executive Order 14028: Emphasizes the need to secure the software supply chain.
Action: Verify that all third-party PL/SQL components or libraries comply with security standards. Conduct regular assessments of these components for vulnerabilities and maintain an inventory of all third-party dependencies.