The document outlines security practices for APEX applications, emphasizing the importance of safeguarding data through methods like encryption, session state protection, and proper authentication mechanisms. Key topics include Oracle Real Application Security benefits, strategies for preventing SQL injection and cross-site scripting attacks, and the necessity of infrastructure security measures like VPNs and firewalls. Additionally, it provides links to resources and highlights consulting services available for Oracle APEX.

1. Dimitri Gielis
APEX Security 101 (mobile)
www.apexRnD.be
dgielis.blogspot.com
@dgielis
dgielis@apexRnD.be

2. Dimitri Gielis
❖ Founder & CEO of APEX R&D
❖ 17+ years of Oracle Experience (OCP & APEX Certified)
❖ Oracle ACE Director
❖ “APEX Developer of the year 2009” by Oracle Magazine
❖ Presenter at Oracle Conferences (OOW, ODTUG, OGh, UKOUG, …)

3. http://dgielis.blogspot.com @dgielis

5. Security still an issue?

6. http://www.computerworld.com/article/2487807/malware-vulnerabilities/starbucks-vows-to-beef-up-security-on-its-iphone-app.html

7. https://news.starbucks.com/news/security-of-starbucks-mobile-app-for-ios

8. http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html

9. http://securityaffairs.co/wordpress/category/hacking

10. Smartphone stolen?
Connected to public network?
Data saved on Device?
Already authenticated?

12. Now what?

14. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

15. https://www.owasp.org

16. https://www.owasp.org

17. Security in APEX environment

18. https://docs.oracle.com/cd/E59726_01/doc.50/e39147/sec_dev.htm#HTMDB25974

19. Architecture
VPN
Firewall(s)

20. Server Side (global)
❖ Architecture (Tunnel, VPN, Firewall, Proxy, …)
❖ patching (all components)
❖ Configure ORDS
❖ Set security.requestValidationFunction
❖ SSL
❖ Instance settings: Require HTTPS
❖ APEX Runtime Environment

21. Data Protection (Server)
❖ Lowest level = in the database
❖ Real Application Security (RAS)
- more secure, scalable, and cost effective than traditional Oracle VPD

22. Oracle RAS Benefits
❖ End-user session propagation to the database
❖ Data security based upon application users, role, privileges, and
various relationships
❖ Audit of end-user activity
❖ Simplified administration with declarative security

23. Oracle RAS & APEX 5.0

24. Oracle RAS & APEX 5.0
❖ Instance setting

25. Server Side (APEX)
❖ Isolating Workspaces
❖ Allow Hostnames attribute
❖ Workspace to database schema assignments

26. Server Side (APEX)
❖ Session Timeout
❖ Password policies
❖ Disable Rejoin Sessions
❖ …

27. Instance settings

28. Instance settings

29. Instance settings
…

30. In APEX app

31. App level settings

32. App level settings

33. App level settings

34. App level settings

35. Page level settings

36. Authentication
❖ Username / Password
❖ Single Sign-On
❖ 3rd party (Facebook/Google/Linkedin/…)
❖ Through device? (Touch ID)
❖ Plug-ins

37. Authentication (remember me)

38. Password items
❖ do not save session state
❖ or store the value encrypted
❖ APEX helps to find password items at risk:
❖ Viewing the Security Profiles Report
❖ Viewing the Password Items Report

39. Authorization
❖ Once in, limit what people can see and do

40. Session State Protection
❖ Session
❖ URL Tempering
❖ Default enabled in APEX 5.0

41. SQL injection
❖ Incorrectly filtered user input used in an SQL operation leading to
unintended side-effects

42. SQL injection
select *
from emp
where ename = '&P7_SEARCH1.'

43. SQL injection
KING' or 1=1--

44. Cross-site scripting (XSS)
❖ In a XSS attack, a web application is sent a script that activates
when it is read by a user's browser. Once activated, these scripts
can steal data, even session credentials, and return the information
to the attacker.

45. Many Types of XSS
❖ Stored XSS
❖ JavaScript in database
❖ Reflected XSS
❖ Embedded JavaScript in URL request
❖ Stored XSS in uploaded files
❖ HTML, Text file with .jpg extension, etc.

46. Escaping substitution strings
❖ apex_escape.html()
❖ Escape special characters attribute: YES

47. Protecting Regions
❖ #COLUMN!HTML#- Escapes reserved HTML characters.
❖ #COLUMN!ATTR#- Escapes reserved characters in a HTML attribute context.
❖ #COLUMN!JS#- Escapes reserved characters in a JavaScript context.
❖ #COLUMN!RAW#- Preserves the original item value and does not escape
characters.
❖ #COLUMN!STRIPHTML#- Removes HTML tags from the output and escapes
reserved HTML characters.

48. Data Protection (Client)
❖ Data encryption in Session State
❖ Encrypt locally stored data (on device)

49. Other tools
❖ Database Vault
❖ Audit Vault
❖ Database Firewall
❖ Label Security
❖ Virus Scanners (include in ORDS)
❖ …

50. Q&A
www.apexRnD.be
dgielis.blogspot.com
@dgielis
dgielis@apexRnD.be

51. ❖ Looking for consulting, training and development in Oracle
Application Express (APEX)?
❖ Contact : www.apexRnD.be
❖ Mail : info@apexRnD.be
Consulting, Development, Training