Chiton Guard

Oracle E-Business Suite Security

See your EBS attack surface clearly — before attackers do.

Most security tools don't speak EBS. Chiton Guard does — natively, across every layer of Oracle's function-security model.

Get the Free Assessment Explore Full Services
chitonguard.com
Chiton Guard Security Assessment dashboard showing configuration health score, three-tier analysis, and severity findings

Why EBS needs its own security assessment

Generic web security tools see ports and CVEs. They are blind to the EBS authorization model that determines real user exposure.

EBS authorization is specialized

Functions, menus, responsibilities, and Allowed Resources determine what users can actually reach. No generic tool models this natively.

Generic scanners miss the model

Standard tools find infrastructure CVEs and open ports. They cannot tell you whether EBS authorization is enforcing policy — or just documenting intent.

Small gaps expose critical workflows

A misaligned function gate, an unregistered JSP, or a reachable page with no auth checks can expose finance, HR, and supply chain operations.

Six layers of evidence. One clear picture.

Chiton Guard correlates configuration, reachability, runtime behavior, and code-level evidence against the same EBS endpoint population.

chitonguard.com — Navigation Targets
Chiton Guard Navigation Targets view showing 19,894 reachable targets across functions, responsibilities, and users
01

Configuration

Is the platform actually enforcing the controls it claims to? Audit all three EBS tiers and surface inconsistencies.

02

Registry

What is registered, how is it classified, and how stale is the audit record? Registry coverage is the baseline.

03

Navigation

What can real users actually reach through menus? Which users? Does registry coverage match the reachable population?

04

Surface

What responds at runtime, and to which actor types? Observed behavior — not inferred exposure.

05

Code Analysis

What does the source code appear to do? Identify missing function gates, tainted forwards, and open redirects.

06

Code Review

What do analysts confirm after reading the code? Verified verdicts override scanner classification.

Highest-priority signal: A target reachable through menus, absent from the registry, and returning an authenticated session to an anonymous actor — confirmed by code review. Each layer contributes independent evidence; together they form an unambiguous finding.

Answers generic scanners cannot give you

Because Chiton Guard correlates configuration, registry, navigation, runtime traffic, source code, and analyst review, it answers questions that isolated tools leave unresolved.

Configuration

Are EBS security features actually enabled, enforced, and being used as intended — or just present in documentation?

Authorization & access

Do Allowed Resources match what users reach through menus and what appears in HTTP logs? Are function gates aligned before you turn enforcement on?

Attack history

Are there indicators of previous probing or compromise in the logs? Do any patterns suggest an attempt succeeded?

Lockdown priorities

Which exposed resources need to be addressed first — especially anonymous, guest, low-privilege, or known-risk endpoints?

Customization coverage

Which customized resources exist, and are they correctly represented in the EBS security model?

Testing focus

Which resources need follow-up testing, who can reach them, and what navigation path gets them there?

The goal is not another scanner report. It is a prioritized map of what can be reached, by whom, and what to do next.

Two ways to engage

Start with the free configuration assessment and see your security posture immediately. When you're ready for a complete attack surface analysis, our consulting service goes deeper.

Free
Configuration drilldown showing findings across database, frontend, and middleware tiers

Secure Configuration Checker

Audits EBS security configuration across all three tiers and cross-references them to surface inconsistencies that single-tier checks miss. Includes checks for exploit and scanning indicators beyond Oracle's published guidance.

  • Database tier
  • Application mid-tier
  • Front-end tier
  • Exploit indicators
  • Scanning indicators
Get the Free Assessment
Consulting Service
Surface scan showing per-endpoint response types for anonymous, guest, and authenticated actors

Full Attack Surface Assessment

A complete engagement covering your entire EBS attack surface. We run the full scanning suite against your environment, analyze the results, and deliver a prioritized remediation roadmap with expert recommendations.

  • Attack Surface Scanner
  • Static Analyzer
  • Navigation Graph
  • Six-layer viewer
  • Expert analysis
  • Remediation roadmap
Contact Us to Engage

Built by the people who built EBS security

Chiton Guard was founded by Oracle's former chief EBS security architect, with advisory support from one of the community's most recognized voices.

Eric Bing

Founder & Principal Security Architect

  • 32 years of EBS architecture experience
  • 10 years leading the OA Framework Development Division
  • 12 years leading EBS security and privacy
  • Founding consultant, Oracle Fusion security architecture

Eric is now combining his platform-specific knowledge with modern AI to deliver security analysis that only an insider could build.

Steven Chan

Advisor

  • Former Senior Director, Oracle Applications Technology Group
  • Responsible for EBS tech stack certifications and ATG product management
  • Oracle ACE designation
  • Three-time OAUG Ambassador of the Year (2007, 2009, 2010)
  • OAUG Lifetime Service Award 2011

Steven brings thirty years of IT industry experience across Oracle, IBM, Deloitte & Touche, and other software and media companies.

"Nobody knows Oracle E-Business Suite security as well as Eric Bing… I can think of nobody more qualified to build the next generation of security tools for EBS."

Steven Chan  ·  Oracle ACE  ·  Former Senior Director, Oracle ATG

Free

Request the Free Configuration Assessment

A read-only, three-tier security configuration assessment for your Oracle E-Business Suite environment — no permanent installation required. Submit your details and we'll follow up within 24–48 hours.

What's in the package

  • Environment configuration template — set your database DSN, mid-tier SSH host, and front-end base URL
  • Four security check scripts — covering the database tier (shell + SQL), application mid-tier, and external front-end
  • README with full deployment instructions — two deployment options: orchestrated from a central host, or manual per-host execution

Delivered as a .tar.gz archive. Read-only — no permanent installation, no EBS modifications. For the full attack surface assessment including navigation graph, surface scanning, and code analysis, contact us about our consulting service.

No installation required No EBS modifications Works on EBS 12.1 and 12.2

Questions about the package or your environment? Get in touch — we're happy to help.

Frequently Asked Questions

What is the difference between the free assessment and the consulting service?
The free Secure Configuration Checker is a standalone script package you download and run yourself. It audits your EBS security configuration across the database, application mid-tier, and front-end tiers and produces a report you can review immediately. There is no cost and no engagement required.

The full attack surface assessment is a consulting engagement. It includes the complete scanning suite — Attack Surface Scanner, Static Analyzer, and Navigation Graph — plus expert analysis of the results. We run the tools against your environment, interpret the findings across all six evidence layers, and deliver a prioritized remediation roadmap with specific recommendations. This service is priced per engagement and is well-suited for organizations preparing for a compliance review, planning a security hardening initiative, or evaluating the risk surface of a new or acquired EBS environment.
What does the consulting engagement involve?
A typical engagement includes:

1. Data collection — We run the full scanning suite (passive and/or active mode) against your EBS environment. You control the scope and timing.

2. Analysis — We correlate findings across all six layers: configuration, registry, navigation reachability, runtime surface behavior, static code analysis, and manual code review where warranted.

3. Reporting — You receive a prioritized findings report in the Chiton Guard viewer, including recommended remediation actions, lockdown candidates, and areas requiring additional testing.

Engagements are scoped based on the size and complexity of the EBS environment. Contact us to discuss your situation.
Does Chiton Guard require any installation or modification inside our EBS environment?
No installation, no agents, and no modifications to EBS configuration or application code. The assessment suite runs in two modes:

Passive mode reads database and configuration data only. No HTTP requests are made to the application — there is no activity in OHS access logs or the EBS audit trail.

Active mode probes application endpoints via HTTP to observe runtime behavior. This generates activity in OHS access logs, similar to a real user session. No data is written and no configuration is changed.

For environments where any application traffic is sensitive, run passive mode first. Active mode is recommended for complete attack surface coverage.
What does the assessment package include?
The package includes the assessment scripts, configuration checklist, setup guidance, and instructions for collecting the inputs needed to generate viewer output.
How is Chiton Guard different from generic web scanners or SIEM tooling?
Generic tools report infrastructure findings — open ports, known CVEs, misconfigured headers. They do not understand the EBS authorization model. Chiton Guard evaluates EBS-specific constructs: functions, menus, responsibilities, Allowed Resources registry coverage, and runtime behavior — together, in context.
Why did you choose the name Chiton Guard?
A chiton is a small tidepool mollusk protected by eight overlapping shell plates: flexible natural armor built for harsh shoreline environments.

We chose Chiton Guard because that combination fits how we think about security: strong protection, practical resilience, and adaptability under real-world pressure.

There is also a personal connection. Eric Bing, one of our founders, leads tide pool tours in his free time, and chitons are one of the quiet, fascinating creatures people often overlook until someone points them out. The Flame Lined Chiton is a favorite — a beautiful West Coast species whose tiny teeth are reinforced with magnetite, an iron-based mineral. Basically, metallic teeth.
How does the Chiton Guard secure configuration checker differ from Oracle's published EBS secure configuration guidance?
There is overlap — both are grounded in the Secure Configuration Guide and general best practices. Chiton Guard collects from a broader set of inputs, checks for exploit and scanning indicators, and is designed to be easy to rerun and integrate into a customer's existing review workflow.
What versions of EBS are supported?
EBS 12.1 and 12.2 are currently supported.
What kind of findings should we expect?
Configuration gaps, exposed or reachable resources with no function gate, mismatches between menu reachability and registry coverage, runtime behavior that suggests overexposure, and code-level authorization issues that warrant follow-up review.

Get in touch

Questions about the assessment, your EBS environment, or how Chiton Guard fits into your security review process? We're happy to talk.

[email protected]

We will never sell your information, and you can ask to be removed from our list at any time.