Why I Came Out of Retirement to Work on EBS Security

The story behind Chiton Guard and why EBS security needs evidence, not assumption.

In October 2025, Oracle issued an emergency security alert for CVE-2025-61882, a critical Oracle E-Business Suite vulnerability that could be exploited remotely without authentication and could result in remote code execution.

Public threat intelligence reporting later tied the vulnerability to a broad extortion campaign associated with the Cl0p brand, with evidence suggesting that exploitation activity may have begun weeks before the patch was available. By late 2025, public reporting and leak-site tracking associated more than 100 organizations with the campaign, while several high-profile victims publicly confirmed impact.

This was not ordinary opportunistic scanning after a patch announcement. It looked like a planned campaign against a known, high-value enterprise platform. If you manage an EBS environment, that should be a wake-up call.

The event that changed my mind

I spent about three years out of the industry: running tide pool tours at Fitzgerald Marine Reserve, tutoring math, and going back to my roots in deep learning research. It was a good retirement.

Then the CVE dropped.

At the same time, AI code analysis was accelerating quickly. The threat landscape had changed in a more fundamental way than any single vulnerability. AI tools are lowering the amount of expertise required to perform sophisticated vulnerability analysis, reconnaissance, and exploit chaining. Work that previously required significant manual expertise can now be accelerated, automated, or scaled by attackers with much less specialized knowledge.

The window between disclosure and active exploitation has compressed. The population of potential attackers has expanded. A security posture that was adequate just two years ago is inadequate today, and the gap is widening.

I realized I had a unique set of skills that could help EBS customers defend against this new generation of attacks.

Who I am and why it matters

I know the EBS security infrastructure not because I read the documentation, but because I wrote a good portion of it.

I spent 32 years working on Oracle E-Business Suite. I was the architect for OA Framework, a founding consultant on Oracle Fusion’s security architecture, and for 12 years I ran the EBS security and privacy team inside Oracle, the team that designed and built the current security model.

That background is what brought me back. The problem has always existed. But the combination of increasing attack sophistication and genuinely inadequate tooling has reached the point where sitting on the sidelines felt irresponsible.

Why I founded Chiton Guard

I founded Chiton Guard to close the gap between what EBS environments now require and what most organizations can currently measure.

I’ve been fortunate to have Steven Chan advising the company. Steven spent his career at Oracle as Senior Director of the Applications Technology Group, where he was responsible for EBS technology stack certifications and ATG product management. He holds the Oracle ACE designation, was named OAUG Ambassador of the Year three times, and received the OAUG Lifetime Service Award in 2011. Nobody understands the EBS ecosystem and community better than he does, and his guidance has been invaluable.

Our goal is to help EBS customers move from assumption to evidence. Not “we think this is protected,” but “we can prove what is exposed, show who can reach it, and verify that our controls are actively working.”

What comes next

EBS security is fundamentally different from generic web application security. The platform has its own security model, its own URL structures, its own authorization infrastructure, and its own patterns of risk. Understanding that difference is the starting point for everything else.

The next post in this series lays out the EBS security maturity model I’ll use for the blog: starting with platform hygiene and visibility, then moving into Allowed Resources, forwards, redirects, custom code, exposure validation, and sustained attack-surface reduction. After that, we get into the substance: why EBS security is different, what generic tools miss, and where the real leverage points are.

---

Eric Bing is the founder and principal security architect at Chiton Guard. He spent 32 years working on Oracle E-Business Suite, including 12 years leading the EBS security and privacy team.