I’d like to share a demonstration of a field-level data masking solution that I’ve created for PeopleSoft. This project showcases a lot of the techniques that I have discussed throughout the year on this blog with respect to creating a secure PeopleSoft application with a good user experience. This bolt-on solution provides a user interface to configure what fields to mask, the conditional ability for end users to unmask data, and a way to track the sensitive data exposure throughout the system.
I developed a servlet filter that is capable of logging the request data that a client sends to the PeopleSoft servlets. I did this project to better familiarize myself with Java as well as to get more comfortable developing at the web-tier. This servlet filter can be useful for keeping track of what users are doing in your PeopleSoft applications. I will admit that the code that I am releasing here is pretty raw and should be used with caution. I am mostly putting this out here for documentation purposes.
Keeping a record of the transactions that are occurring in your PeopleSoft applications is a great way to prepare yourself for the inevitable security investigations that will need to occur after a security-related incident. While most logging can be done at the database level with triggers and audit tables, there are still some transactions that the database is not capable of capturing. One example of this is a transaction where a user inputs data into a search record on a component. I would say that logging this information is very important for certain components in PeopleSoft. Even though users are not altering the data in these situations, just knowing what the users are searching for can be useful information.