HARDENING APEX FOR MAXIMUM SECURITY
Randy Cunningham, SageLogix, Inc.
APPLICATION EXPRESS: BACKGROUND
Oracle Application Express, also known by its short name of Apex, is a web-based software development and run-time environment for Oracle databases. Since its introduction in 2000, it has also been known by the names Flows, Oracle Platform, Project Marvel and HTMLDB. Apex is easy to learn, deploys quickly and requires essentially no endpoint support because it runs in a web browser. As a result, the software has gained a popular following for application prototyping and for rapid application development. However, there is no reason to limit Apex only to speedy deployments; it is sufficiently rich and robust to allow its use for fullscale productionapplications. For example, the Ask Tom website (http://asktom.oracle.com) is built on Application Express as was Oracle’s MetaLink support site, until recently. Beginning with Oracle Database 11g, Apex is included in the base product deliverable, so it is readily available to a wide audience.
SECURITY IN APEX
Out of the box, Apex includes a rudimentary user-and-role based access control framework,including administrative access for performing such super-user tasks as creating users, assigning roles and setting overall security policies. In addition, there is developer level access and end-user level access, each of which is adjustable based on installation needs and policies. The immediately available authentication schemes include the Apex user framework, database authentication through theDAD, or authentication using a database account. Regrettably, authentication can be disabled entirely. In addition to the supplied authentication schemes, Apex shared components and PL/SQL libraries permit Apex session authentication using LDAP, including OID and Windows Active Directory, so enterprise roles, responsibilities and groups are readily accessible to the Apex application. This approachinevitably requires the development of site-specific, custom code. By default, Apex logs all session authentication attempts into a database table.
ORGANIZATIONAL SECURITY REQUIREMENTS
Apex is not inherently insecure. Similarly to the Oracle database itself, Apex can be compromised to a point where it offers essentially no security at all, or it can be augmented and configured to a degreethat enables Apex applications to comply adequately with stringent organizational requirements and statutory requirements including HIPAA and Sarbanes-Oxley. Also, Apex is just one component in an overall security landscape. Attempting to implement a security policy or to comply with security requirements only by adjusting Apex is doomed to fail; the database, the operating system and the networkmust also support the overall organizational security plan.
UNDERSTANDING THE THREATS
It is a natural tendency when approaching topics concerning information technology security to focus on the model of an adolescent hacker in some faraway land, an individual with a malicious streak intent on stealing information, blackmailing their target, or vandalizing a web site. While this threat isundoubtedly real, security also encompasses these scenarios: • • • • Unauthorized data incursions by the organization’s own employees, customers, vendors and other authorized parties; Massive corruption or loss of data through operator or procedural error; Accidental disclosure of data to unauthorized parties or to the public; Social engineering, where data are destroyed, changed or disclosed byauthorized individuals who have been duped.
1 Session # 416
START WITH SECURITY IN MIND
All too often, security is an afterthought; it is something that is done after all of the user acceptance testing is complete, and often with an attitude of appeasing the organization’s internal audit group! In other cases, security is only considered after there has been a security breach, either...