Security Review of PeopleSoft Custom Code

balaji
By balaji

June 16, 2010

PeopleSoft developed a Human Resource Management System (HRMS) software on Cobol platform, which is now being marketed by Oracle. Peoplesoft's HRMS software has various modules, including HCM and FMS. Human Capital Management (HCM) and Financial Management Solution (FMS) serves the Human Resources and Financial needs of an organization. These HR and Finance modules contain various components that are delivered with the software. Some of the key components in both include:

peoplesoft-code-review.jpg

PeopleSoft developed a Human Resource Management System (HRMS) software on Cobol platform, which is now being marketed by Oracle. PeopleSoft's HRMS software has various modules, including HCM and FMS. Human Capital Management (HCM) and Financial Management Solution (FMS) serves the Human Resources and Financial needs of an organization. These HR and Finance modules contain various components that are delivered with the software. Some of the key components in both include:

HCM FMS
Workforce Planning Asset Management
Payroll Interface Esettlements
Time and Labor General Ledger
eRecruit Payables
eBenefits Receivables
eCompensation Risk Management

These PeoplSoft HRMS components can be customized by the organizations according to their needs. These customizations can be as simple as modification of a front-end design or as complex as modification of the underlying peoplecode, SQR or COBOL files.

Code Review and PeopleSoft

A security source code review is targeted at reviewing the code base to discover gaps in programming that may lead to a system compromise. A typical source code review involves the review of entire code base.

In PeopleSoft, mostly this is not the case. An organization is most likely to be interested in getting the code reviewed for the customized code only, and not for the Oracle delivered code. So let us dive in to peoplecode review.

Peoplecode Review

PeopleSoft customizations can be complex as they may involve modifications in various peoplesoft objects like components, component interfaces, messages, pages, application engines, records and application package. A review has to be carried out for the customized peoplecode coded at various events of PeopleSoft objects. The reviewer's goal should be to discover all those instances of peoplecode modification or addition which can result in a security vulnerability and a possible exploit.

Steps to follow

The following steps should be followed while conducting a security source code review activity:

  1. Understand PeopleSoft customizations
    Take a walk-through of the application by logging in to the application front-end. Understand the front-end customizations from developers.
  2. Understand the peoplecode customizations
    Understand the underlying events in various objects and the customization of the peoplecode present there.
  3. Run Compare Reports
    Run database compare reports between the current production code and the latest vanilla (delivered) code. The output of this will be a huge list of all the customizations made in the peoplecode.
  4. Review the customized code
    Now we have the list of customizations. Review the customized code for possible security vulnerabilities as listed below.
  5. Confirm the findings from application login
    Login to the application as an end user and confirm all the possible security vulnerabilities. This can be done by dry run of possible exploits as understood from code review.
  6. Report the findings
    Report all the successful exploits.

Possible Security Vulnerabilities in Peoplecode customizations

Below is the list of few possible security vulnerabilities which may result on account of peoplecode customizations:

  1. SQL Injection
    Open Application Designer, select your project, go to Edit -> Find In, select "SQL Injection in PeopleCode" as the Find Type. This search will result in all potential instances of SQL Injection. Figure out the customized instances of potential SQL Injection, while dropping the delivered ones. Analyze the remaining output to find the SQL Injection Vulnerability.
    The peoplecode functions which allow inputs to be submitted to the database are SQLExec function, CreateSQL function, Rowset class Select method, Rowset class Fill method and Rowset class FillAppend method. These are the functions which may be reviewed for SQL Injection possibility.
    Usage of bind variables in the SQL statement indicates that it is safe against SQL Injection.
  2. Input Validation
    The system is built with various business logic functions based on functional specifications. These may require inputs to be validated according to a certain format. A review should to be conducted for the presence of such validation in peoplecode. Also review for the presence of any improper peoplecode, which may allow an attacker to bypass such validations.
    An input validation can also be carried out for the rejection of malicious special characters.
  3. Hard Coded Sensitive Data
    Review the entire custom code for the presence of hard coded secrets or sensitive data like SSN, Bank account numbers, Passwords, critical project data.
  4. Backdoors
    Backdoors are unauthorized programs that provide a hidden entry into the system. Backdoors may be purposefully or inadvertently inserted by the developers. Review the code base for such backdoors.
  5. Unused Objects
    Any unused or unlinked object should be reviewed. Unused objects may become a source of menace. Unlinked objects, users or roles should be either linked to valid objects or should be removed.
    A list of all such objects to be reviewed can be obtained by running SYS Audit and DDD Audit reports in the production environment. While a SYS Audit report provides such information for PeopleSoft definitions, a DDD Audit report provides this information for PeopleSoft database. Make sure that these reports do not contain any exceptions.
    These reports can be run from PeopleSoft front-end interface by the following navigation:
    PeopleTools -> Process Scheduler -> System Process Requests ->
    Select SYSAUDIT and DDDAUDIT from the list of reports.
  6. Malicious File Upload
    The objects related to file upload functionality should be reviewed for the presence of the verification code for uploads. PeopleSoft delivered code has a basic file extension verification. But many a times, business requirements generate the need for different file formats to be used and so this verification may be disabled. Hence a review of verification code has to be conducted to ensure that appropriate validation is done on the uploaded files. Apart from basic file extension verification, other file upload verification best practices may also need to be implemented.
  7. Error Messages
    Visit message catalogue and review all the custom messages. The message should be framed in such a manner that they don't reveal any sensitive information, while they communicate the required information to the users.
    Message Catalog can be accessed from the following navigation:
    PeopleTools -> Utilities -> Administration -> Message Catalog.
    Custom Message Sets start from 20,000 onwards. So, review should be started from 20,000th set.

In this article, we described the basic approach to a source code review of a PeopleSoft HRMS. While it is slightly different from the code review of most other platforms/languages we have conducted in the sense that the review is done only for customized code base and not for the delivered code, most of the security vulnerabilities are still valid. But many of them are addressed by the delivered PeopleSoft code.


Tags: Technical

About

balaji