+ All Categories
Home > Documents > Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX...

Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX...

Date post: 30-May-2020
Category:
Upload: others
View: 58 times
Download: 1 times
Share this document with a friend
8
APEX-SERT Overview Welcome 3 4 About Me @sspendol [email protected]
Transcript
Page 1: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

APEX-SERT Overview

Welcome

3 4

About Me

@sspendol

[email protected]

Page 2: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

About Sumner Technologies• Originally founded in 2005

– Purchased by Enkitec in 2012

– Enkitec purchased by Accenture in 2014

– Re-Launched in 2015

• Sumner Technologies provides world-class services and education for Oracle Application Express and Oracle Database Cloud

– Development, migration, health & security checks

5

Agenda• Overview

• About APEX-SERT

• Demonstration

• Q&A

6

Overview

7 8

Security is hard.If it’s easy, it’s likely wrong.

Page 3: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

9

Security Budget Disparities

Before a Breach After a Breach

Most FundedMost Emphasized

10

NOT ENOUGH TIME

UNIMPORTANT DATA

INTERNAL ONLY STUPID USERS

NOT MY JOB

SMALL APP

REASONS WE IGNORE SECURITY IN OUR APPS

Recipe for Disaster• Given:

– The stresses of getting our applications released quickly

– The lack of time we have to do so

• Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix– If we only knew what they were and had the time...

11

About APEX-SERT

12

Page 4: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

APEX-SERT• APEX-SERT:

APEX Security Evaluation & Recommendation Tool

• APEX application designed to evaluate and identify potential security issues in other APEX applications

– Support for APEX 4.2 & 5.0

• Installs once and can be accessed instantly from any workspace with existing developer credentials

• Now available as open source underGPLv3 license

13

How it Works• APEX-SERT evaluates your application’s

metadata for potential security issues

– Takes only a few seconds to run

• Result is an interactive APEX application that allows developers to easily explore and mitigate potential threats

– Each application is scored based on APEX-SERT’s findings

• Designed to clearly identify what needs attention and steer developers or managers in that direction

– Click on a defect to edit and remedy it

14

Vulnerabilities Addressed• APEX-SERT will look for 5 classifications of potential

vulnerabilities

15

URL Tampering

Cross Site Scripting

SQL Injection

Page Settings

Application Settings

Complete Evaluation• APEX-SERT evaluates all components of an

application, regardless of their condition & authorization scheme

– Nothing gets skipped

• APEX-SERT can be pre-configured with a set of valid values and rules–Which can be changed or augmented depending on your

interpretation or business needs

16

Page 5: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

17

Security is not a product, but rather a process.

Ongoing Evaluation• APEX-SERT allows developers to add exceptions for

false positives and acceptable risks• All exceptions must be reviewed & approved by a manager

before the “approved” score increases

• As exceptions are logged, the value of the attribute in question is also captured

– If this value changes at any time, the exception will be instantly flagged as “stale” and require re-approval

18

Without APEX-SERT• Correcting each additional security vulnerability may cause

other functional issues– Thus, a high number of vulnerabilities corrected at once will yield

more functional defects and increase development time

19

Time

Vulnerab

ilities

Fixing issues here will likely break something else

• Using APEX-SERT to keep security vulnerabilities to a minimum reduces the number of functional defects introduced

With APEX-SERT

20

Time

Vulnerab

ilities

Preventing a high number of vulnerabilities ensures fewer defects introduced

Page 6: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

Demonstration

21

Summary

22

“Yesterday, you said tomorrow”• With APEX-SERT, there is no longer an excuse to

ignore the security of your APEX applications– Installs & configures in minutes

– Totally integrated into the APEX builder

– Easy to lean and use

– Evaluations can be automated

– No license costs

23

Summary• APEX-SERT provides you with the ability to easily and

quickly identify and remedy most APEX security vulnerabilities– It is designed to be used throughout the development

process, not as a checkpoint at the end

– As a side-effect, your developers will become more security-conscious by using APEX-SERT and incorporate secure best practices by default

24

Page 7: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

Availability• APEX 4.2

– Available today

– No new features; only bug fixes for supported customers

• APEX 5.0

– Available today

– Limited new features

• APEX 5.1– Available “Soon”

25

Downloads• All releases & source code available on GitHub:– https://github.com/OraOpenSource/apex-sert– Click on releases– Download & extract sert_050000.zip

• APEX-SERT home page via OraOpenSource:– http://oraopensource.com/apex-sert

26

Support• Sumner Technologies provides complete for-cost support

for APEX-SERT– Per-instance or per-site basis

• Contact us for details & pricing

[email protected]

– http://www.sumnertech.com/apex-sert

– 703-722-1495

27

Q & A

28

Page 8: Securing Your APEX Applications with APEX-SERTDays+2017/... · APEX-SERT •APEX-SERT: APEX Security Evaluation & Recommendation Tool •APEX application designed to evaluate and

29


Recommended