Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

APEX Security 101

1,730 views

Published on

Internet security is a topical subject these days. It becomes more and more important to secure your applications against threats such as hackers because more and more important information becomes available for them. The biggest risk is that one could take over your identity. During this presentation, discover the best practices in securing mobile applications written in APEX to protect them against different threats.

Published in: Technology

APEX Security 101

  1. 1. Dimitri Gielis APEX Security 101 (mobile) www.apexRnD.be dgielis.blogspot.com @dgielis dgielis@apexRnD.be
  2. 2. Dimitri Gielis ❖ Founder & CEO of APEX R&D ❖ 17+ years of Oracle Experience (OCP & APEX Certified) ❖ Oracle ACE Director ❖ “APEX Developer of the year 2009” by Oracle Magazine ❖ Presenter at Oracle Conferences (OOW, ODTUG, OGh, UKOUG, …)
  3. 3. http://dgielis.blogspot.com @dgielis
  4. 4. Security still an issue?
  5. 5. http://www.computerworld.com/article/2487807/malware-vulnerabilities/starbucks-vows-to-beef-up-security-on-its-iphone-app.html
  6. 6. https://news.starbucks.com/news/security-of-starbucks-mobile-app-for-ios
  7. 7. http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html
  8. 8. http://securityaffairs.co/wordpress/category/hacking
  9. 9. Smartphone stolen? Connected to public network? Data saved on Device? Already authenticated?
  10. 10. Now what?
  11. 11. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  12. 12. https://www.owasp.org
  13. 13. https://www.owasp.org
  14. 14. Security in APEX environment
  15. 15. https://docs.oracle.com/cd/E59726_01/doc.50/e39147/sec_dev.htm#HTMDB25974
  16. 16. Architecture VPN Firewall(s)
  17. 17. Server Side (global) ❖ Architecture (Tunnel, VPN, Firewall, Proxy, …) ❖ patching (all components) ❖ Configure ORDS ❖ Set security.requestValidationFunction ❖ SSL ❖ Instance settings: Require HTTPS ❖ APEX Runtime Environment
  18. 18. Data Protection (Server) ❖ Lowest level = in the database ❖ Real Application Security (RAS)
 - more secure, scalable, and cost effective than traditional Oracle VPD
  19. 19. Oracle RAS Benefits ❖ End-user session propagation to the database ❖ Data security based upon application users, role, privileges, and various relationships ❖ Audit of end-user activity ❖ Simplified administration with declarative security
  20. 20. Oracle RAS & APEX 5.0
  21. 21. Oracle RAS & APEX 5.0 ❖ Instance setting
  22. 22. Server Side (APEX) ❖ Isolating Workspaces ❖ Allow Hostnames attribute ❖ Workspace to database schema assignments
  23. 23. Server Side (APEX) ❖ Session Timeout ❖ Password policies ❖ Disable Rejoin Sessions ❖ …
  24. 24. Instance settings
  25. 25. Instance settings
  26. 26. Instance settings …
  27. 27. In APEX app
  28. 28. App level settings
  29. 29. App level settings
  30. 30. App level settings
  31. 31. App level settings
  32. 32. Page level settings
  33. 33. Authentication ❖ Username / Password ❖ Single Sign-On ❖ 3rd party (Facebook/Google/Linkedin/…) ❖ Through device? (Touch ID) ❖ Plug-ins
  34. 34. Authentication (remember me)
  35. 35. Password items ❖ do not save session state ❖ or store the value encrypted ❖ APEX helps to find password items at risk: ❖ Viewing the Security Profiles Report ❖ Viewing the Password Items Report
  36. 36. Authorization ❖ Once in, limit what people can see and do
  37. 37. Session State Protection ❖ Session ❖ URL Tempering ❖ Default enabled in APEX 5.0
  38. 38. SQL injection ❖ Incorrectly filtered user input used in an SQL operation leading to unintended side-effects
  39. 39. SQL injection select * from emp where ename = '&P7_SEARCH1.'
  40. 40. SQL injection KING' or 1=1--
  41. 41. Cross-site scripting (XSS) ❖ In a XSS attack, a web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker.
  42. 42. Many Types of XSS ❖ Stored XSS ❖ JavaScript in database ❖ Reflected XSS ❖ Embedded JavaScript in URL request ❖ Stored XSS in uploaded files ❖ HTML, Text file with .jpg extension, etc.
  43. 43. Escaping substitution strings ❖ apex_escape.html() ❖ Escape special characters attribute: YES
  44. 44. Protecting Regions ❖ #COLUMN!HTML#- Escapes reserved HTML characters. ❖ #COLUMN!ATTR#- Escapes reserved characters in a HTML attribute context. ❖ #COLUMN!JS#- Escapes reserved characters in a JavaScript context. ❖ #COLUMN!RAW#- Preserves the original item value and does not escape characters. ❖ #COLUMN!STRIPHTML#- Removes HTML tags from the output and escapes reserved HTML characters.
  45. 45. Data Protection (Client) ❖ Data encryption in Session State ❖ Encrypt locally stored data (on device)
  46. 46. Other tools ❖ Database Vault ❖ Audit Vault ❖ Database Firewall ❖ Label Security ❖ Virus Scanners (include in ORDS) ❖ …
  47. 47. Q&A www.apexRnD.be dgielis.blogspot.com @dgielis dgielis@apexRnD.be
  48. 48. ❖ Looking for consulting, training and development in Oracle Application Express (APEX)? ❖ Contact : www.apexRnD.be ❖ Mail : info@apexRnD.be Consulting, Development, Training

×