Abstract image of a woman sitting on books and studying on a laptop

APEX Security 101

Dimitri Gielis, profile picture
Dimitri Gielis

The document outlines security practices for APEX applications, emphasizing the importance of safeguarding data through methods like encryption, session state protection, and proper authentication mechanisms. Key topics include Oracle Real Application Security benefits, strategies for preventing SQL injection and cross-site scripting attacks, and the necessity of infrastructure security measures like VPNs and firewalls. Additionally, it provides links to resources and highlights consulting services available for Oracle APEX.

Technology
1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Dimitri Gielis APEX Security 101 (mobile) www.apexRnD.be dgielis.blogspot.com @dgielis dgielis@apexRnD.be
Dimitri Gielis ❖ Founder & CEO of APEX R&D ❖ 17+ years of Oracle Experience (OCP & APEX Certified) ❖ Oracle ACE Director ❖ “APEX Developer of the year 2009” by Oracle Magazine ❖ Presenter at Oracle Conferences (OOW, ODTUG, OGh, UKOUG, …)
http://dgielis.blogspot.com @dgielis
APEX Security 101
Security still an issue?
http://www.computerworld.com/article/2487807/malware-vulnerabilities/starbucks-vows-to-beef-up-security-on-its-iphone-app.html
https://news.starbucks.com/news/security-of-starbucks-mobile-app-for-ios
http://securityaffairs.co/wordpress/33059/hacking/ios-outlook-app-issues.html
http://securityaffairs.co/wordpress/category/hacking
Smartphone stolen? Connected to public network? Data saved on Device? Already authenticated?
APEX Security 101
Now what?
APEX Security 101
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
https://www.owasp.org
https://www.owasp.org
Security in APEX environment
https://docs.oracle.com/cd/E59726_01/doc.50/e39147/sec_dev.htm#HTMDB25974
Architecture VPN Firewall(s)
Server Side (global) ❖ Architecture (Tunnel, VPN, Firewall, Proxy, …) ❖ patching (all components) ❖ Configure ORDS ❖ Set security.requestValidationFunction ❖ SSL ❖ Instance settings: Require HTTPS ❖ APEX Runtime Environment
Data Protection (Server) ❖ Lowest level = in the database ❖ Real Application Security (RAS)
 - more secure, scalable, and cost effective than traditional Oracle VPD
Oracle RAS Benefits ❖ End-user session propagation to the database ❖ Data security based upon application users, role, privileges, and various relationships ❖ Audit of end-user activity ❖ Simplified administration with declarative security
Oracle RAS & APEX 5.0
Oracle RAS & APEX 5.0 ❖ Instance setting
Server Side (APEX) ❖ Isolating Workspaces ❖ Allow Hostnames attribute ❖ Workspace to database schema assignments
Server Side (APEX) ❖ Session Timeout ❖ Password policies ❖ Disable Rejoin Sessions ❖ …
Instance settings
Instance settings
Instance settings …
In APEX app
App level settings
App level settings
App level settings
App level settings
Page level settings
Authentication ❖ Username / Password ❖ Single Sign-On ❖ 3rd party (Facebook/Google/Linkedin/…) ❖ Through device? (Touch ID) ❖ Plug-ins
Authentication (remember me)
Password items ❖ do not save session state ❖ or store the value encrypted ❖ APEX helps to find password items at risk: ❖ Viewing the Security Profiles Report ❖ Viewing the Password Items Report
Authorization ❖ Once in, limit what people can see and do
Session State Protection ❖ Session ❖ URL Tempering ❖ Default enabled in APEX 5.0
SQL injection ❖ Incorrectly filtered user input used in an SQL operation leading to unintended side-effects
SQL injection select * from emp where ename = '&P7_SEARCH1.'
SQL injection KING' or 1=1--
Cross-site scripting (XSS) ❖ In a XSS attack, a web application is sent a script that activates when it is read by a user's browser. Once activated, these scripts can steal data, even session credentials, and return the information to the attacker.
Many Types of XSS ❖ Stored XSS ❖ JavaScript in database ❖ Reflected XSS ❖ Embedded JavaScript in URL request ❖ Stored XSS in uploaded files ❖ HTML, Text file with .jpg extension, etc.
Escaping substitution strings ❖ apex_escape.html() ❖ Escape special characters attribute: YES
Protecting Regions ❖ #COLUMN!HTML#- Escapes reserved HTML characters. ❖ #COLUMN!ATTR#- Escapes reserved characters in a HTML attribute context. ❖ #COLUMN!JS#- Escapes reserved characters in a JavaScript context. ❖ #COLUMN!RAW#- Preserves the original item value and does not escape characters. ❖ #COLUMN!STRIPHTML#- Removes HTML tags from the output and escapes reserved HTML characters.
Data Protection (Client) ❖ Data encryption in Session State ❖ Encrypt locally stored data (on device)
Other tools ❖ Database Vault ❖ Audit Vault ❖ Database Firewall ❖ Label Security ❖ Virus Scanners (include in ORDS) ❖ …
Q&A www.apexRnD.be dgielis.blogspot.com @dgielis dgielis@apexRnD.be
❖ Looking for consulting, training and development in Oracle Application Express (APEX)? ❖ Contact : www.apexRnD.be ❖ Mail : info@apexRnD.be Consulting, Development, Training

More Related Content

PPTX
JPA For Beginner's
NarayanaMurthy Ganashree
 
PDF
Apache Spark Data Validation
Databricks
 
PDF
Lessons from the Field: Applying Best Practices to Your Apache Spark Applicat...
Databricks
 
PPT
Java Persistence API (JPA) Step By Step
Guo Albert
 
PDF
Introducing Neo4j
Neo4j
 
PDF
Crud tutorial en
forkgrown
 
PDF
PostgreSQL Tutorial For Beginners | Edureka
Edureka!
 
PPTX
Spring Security 5
Jesus Perez Franco
 
JPA For Beginner's
NarayanaMurthy Ganashree
 
Apache Spark Data Validation
Databricks
 
Lessons from the Field: Applying Best Practices to Your Apache Spark Applicat...
Databricks
 
Java Persistence API (JPA) Step By Step
Guo Albert
 
Introducing Neo4j
Neo4j
 
Crud tutorial en
forkgrown
 
PostgreSQL Tutorial For Beginners | Edureka
Edureka!
 
Spring Security 5
Jesus Perez Franco
 

What's hot (20)

PDF
RESTful Web Services
Christopher Bartling
 
PDF
Incremental View Maintenance with Coral, DBT, and Iceberg
Walaa Eldin Moustafa
 
PDF
Spring Security
Knoldus Inc.
 
PDF
Scalability, Availability & Stability Patterns
Jonas Bonér
 
ODP
Introduction to Java 8
Knoldus Inc.
 
PPT
Java oops PPT
kishu0005
 
PPTX
Java 8 presentation
Van Huong
 
PDF
Spring Data JPA
Cheng Ta Yeh
 
PPTX
Apache Atlas: Why Big Data Management Requires Hierarchical Taxonomies
DataWorks Summit/Hadoop Summit
 
PPTX
Java Spring Framework
Mehul Jariwala
 
PPTX
Introduction to ML with Apache Spark MLlib
Taras Matyashovsky
 
PDF
Materialized Column: An Efficient Way to Optimize Queries on Nested Columns
Databricks
 
PDF
Présentation de Apache Zookeeper
Michaël Morello
 
PDF
Spring Data JPA from 0-100 in 60 minutes
VMware Tanzu
 
PPTX
iceberg introduction.pptx
Dori Waldman
 
PDF
Pyspark Tutorial | Introduction to Apache Spark with Python | PySpark Trainin...
Edureka!
 
PPT
Spring Framework
nomykk
 
PPTX
JDBC - JPA - Spring Data
Arturs Drozdovs
 
PDF
java.io - streams and files
Marcello Thiry
 
PPTX
Spring boot
sdeeg
 
RESTful Web Services
Christopher Bartling
 
Incremental View Maintenance with Coral, DBT, and Iceberg
Walaa Eldin Moustafa
 
Spring Security
Knoldus Inc.
 
Scalability, Availability & Stability Patterns
Jonas Bonér
 
Introduction to Java 8
Knoldus Inc.
 
Java oops PPT
kishu0005
 
Java 8 presentation
Van Huong
 
Spring Data JPA
Cheng Ta Yeh
 
Apache Atlas: Why Big Data Management Requires Hierarchical Taxonomies
DataWorks Summit/Hadoop Summit
 
Java Spring Framework
Mehul Jariwala
 
Introduction to ML with Apache Spark MLlib
Taras Matyashovsky
 
Materialized Column: An Efficient Way to Optimize Queries on Nested Columns
Databricks
 
Présentation de Apache Zookeeper
Michaël Morello
 
Spring Data JPA from 0-100 in 60 minutes
VMware Tanzu
 
iceberg introduction.pptx
Dori Waldman
 
Pyspark Tutorial | Introduction to Apache Spark with Python | PySpark Trainin...
Edureka!
 
Spring Framework
nomykk
 
JDBC - JPA - Spring Data
Arturs Drozdovs
 
java.io - streams and files
Marcello Thiry
 
Spring boot
sdeeg
 
Ad

Viewers also liked (20)

PDF
How to make APEX print through Node.js
Dimitri Gielis
 
PDF
APEX 5 Demo and Best Practices
Dimitri Gielis
 
PDF
Service Workers and APEX
Dimitri Gielis
 
PDF
Real Application Security (RAS) and Oracle Application Express (APEX)
Dimitri Gielis
 
PPTX
APEX Dashboard Competition - Winners
Tobias Arnhold
 
PDF
APEX Wearables
Dimitri Gielis
 
PPTX
Top 10 HTML5 features every developer should know!
Gill Cleeren
 
PPTX
5 x HTML5 worth using in APEX (5)
Christian Rokitta
 
PPT
Apex RnD APEX 5 - Printing
Lino Schildenfeld
 
PDF
Advanced Reporting And Charting With Oracle Application Express 4.0
Rinie Romme
 
PDF
Controlling execution plans 2014
Enkitec
 
PDF
Apex day 1.0 oracle apex 5.0 patrick wolf
APEX Solutions - Natural Intelligence
 
PDF
5 Cool Things you can do with HTML5 and APEX
Roel Hartman
 
PPTX
PDB Provisioning with Oracle Multitenant Self Service Application
Leighton Nelson
 
PPTX
Building a Flexible UI with Oracle ApEx
Bradley Brown
 
PDF
Offline Web with Oracle JET
andrejusb
 
PPTX
APEX connects Jira
Oliver Lemm
 
PDF
Jsf2 html5-jazoon
Roger Kitain
 
PPTX
Oracle APEX Performance
Scott Wesley
 
PDF
Top 5 Tips to Cut the Effort of your Oracle EBS R12 Project by a Third
Original Software
 
How to make APEX print through Node.js
Dimitri Gielis
 
APEX 5 Demo and Best Practices
Dimitri Gielis
 
Service Workers and APEX
Dimitri Gielis
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Dimitri Gielis
 
APEX Dashboard Competition - Winners
Tobias Arnhold
 
APEX Wearables
Dimitri Gielis
 
Top 10 HTML5 features every developer should know!
Gill Cleeren
 
5 x HTML5 worth using in APEX (5)
Christian Rokitta
 
Apex RnD APEX 5 - Printing
Lino Schildenfeld
 
Advanced Reporting And Charting With Oracle Application Express 4.0
Rinie Romme
 
Controlling execution plans 2014
Enkitec
 
Apex day 1.0 oracle apex 5.0 patrick wolf
APEX Solutions - Natural Intelligence
 
5 Cool Things you can do with HTML5 and APEX
Roel Hartman
 
PDB Provisioning with Oracle Multitenant Self Service Application
Leighton Nelson
 
Building a Flexible UI with Oracle ApEx
Bradley Brown
 
Offline Web with Oracle JET
andrejusb
 
APEX connects Jira
Oliver Lemm
 
Jsf2 html5-jazoon
Roger Kitain
 
Oracle APEX Performance
Scott Wesley
 
Top 5 Tips to Cut the Effort of your Oracle EBS R12 Project by a Third
Original Software
 
Ad

Similar to APEX Security 101 (20)

PPSX
apex security demo.ppsx
siavosh kaviani
 
PDF
APEX Security Primer
Enkitec
 
PPTX
Force.com security
Vijay Naik
 
PDF
SAP security made easy
ERPScan
 
PDF
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PPT
Web Apps Security
Victor Bucutea
 
PDF
Security .NET.pdf
Abhi Jain
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PDF
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
PPTX
Innovations dbsec-12c-pub
OracleIDM
 
PDF
Getting Started with Oracle APEX
DataNext Solutions
 
PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
Salesforce Developers
 
PDF
Secure software development presentation
Mahdi Dolati
 
PDF
Access Denied: Real-World Use Cases for APEX and Real Application Security
Jim Czuprynski
 
PPTX
Owasp Top 10 2017
SamsonMuoki
 
PDF
Making Sense of APEX Security by Christoph Ruepprich
Enkitec
 
PDF
OWASP Top 10
Arthur Shvetsov
 
apex security demo.ppsx
siavosh kaviani
 
APEX Security Primer
Enkitec
 
Force.com security
Vijay Naik
 
SAP security made easy
ERPScan
 
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
OWASP Top 10 2021 What's New
Michael Furman
 
Owasp top 10_openwest_2019
Sean Jackson
 
Web Apps Security
Victor Bucutea
 
Security .NET.pdf
Abhi Jain
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
Innovations dbsec-12c-pub
OracleIDM
 
Getting Started with Oracle APEX
DataNext Solutions
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Salesforce Developers
 
Secure software development presentation
Mahdi Dolati
 
Access Denied: Real-World Use Cases for APEX and Real Application Security
Jim Czuprynski
 
Owasp Top 10 2017
SamsonMuoki
 
Making Sense of APEX Security by Christoph Ruepprich
Enkitec
 
OWASP Top 10
Arthur Shvetsov
 

More from Dimitri Gielis (14)

PDF
Bring the light in your Always FREE Oracle Cloud
Dimitri Gielis
 
PPTX
APEX Office Print (AOP)
Dimitri Gielis
 
PDF
REST Web Service? No, GraphQL please!
Dimitri Gielis
 
PDF
Can You Do That with APEX? Building Not So Straightforward Pages
Dimitri Gielis
 
PDF
Bringing Virtual Reality (VR) and Augmented Reality (AR) to APEX
Dimitri Gielis
 
PDF
Oracle APEX Cheat Sheet
Dimitri Gielis
 
PDF
Reporting with Oracle Application Express (APEX)
Dimitri Gielis
 
PDF
Moving your APEX app to the Oracle Exadata Express Cloud
Dimitri Gielis
 
PDF
Oracle APEX for Beginners
Dimitri Gielis
 
PDF
JavaScript straight from the Oracle Database
Dimitri Gielis
 
PDF
APEX Office Print
Dimitri Gielis
 
PDF
Moving to the APEX Listener
Dimitri Gielis
 
PDF
A Primer on Web Components in APEX
Dimitri Gielis
 
PDF
Oracle Application Express (APEX) and Microsoft Sharepoint integration
Dimitri Gielis
 
Bring the light in your Always FREE Oracle Cloud
Dimitri Gielis
 
APEX Office Print (AOP)
Dimitri Gielis
 
REST Web Service? No, GraphQL please!
Dimitri Gielis
 
Can You Do That with APEX? Building Not So Straightforward Pages
Dimitri Gielis
 
Bringing Virtual Reality (VR) and Augmented Reality (AR) to APEX
Dimitri Gielis
 
Oracle APEX Cheat Sheet
Dimitri Gielis
 
Reporting with Oracle Application Express (APEX)
Dimitri Gielis
 
Moving your APEX app to the Oracle Exadata Express Cloud
Dimitri Gielis
 
Oracle APEX for Beginners
Dimitri Gielis
 
JavaScript straight from the Oracle Database
Dimitri Gielis
 
APEX Office Print
Dimitri Gielis
 
Moving to the APEX Listener
Dimitri Gielis
 
A Primer on Web Components in APEX
Dimitri Gielis
 
Oracle Application Express (APEX) and Microsoft Sharepoint integration
Dimitri Gielis
 

Recently uploaded (20)

PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Five Habits of High-Impact Board Members
OnBoard
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Modernising the Digital Integration Hub
Daniel Toomey
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

APEX Security 101