1. Oracle Application Express Security

2. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle Application Server Single-Sign On Open door credentials Application Express accounts Database Account credentials No Authentication (using DAD) Custom Authentication Customizable session management logic Use or modify (session verification function) built-in page sentry Develop custom sentry (examples provided) Credentials verification custom PL/SQL Accepts user name and password; Returns Boolean Only executed once per session

3. © 2009 Oracle Corporation Managing User Access Authorization Pass / Fail checks – cached to improve performance Can associate to any component (e.g. Application, page, button, validation, item, etc.) Various types (e.g. Exists, SQL Query, PL/SQL Function, etc.) Session State Protection Prevent URL Tampering Utilizes MD5 checksum Agnostically use Database Security Features Fine Grained Access Control (aka VPD); Transparent Data Encryption; Database Vault; Advanced Security Option; etc. No APEX development effort required

4. © 2009 Oracle Corporation Administrator Best Practices Considerations with Embedded PL/SQL Gateway Uses XMLDB HTTP Protocol Listener – Part of the Database Not recommended for internet facing applications Configuring Oracle HTTP Server with mod_plsql Configured using Database Access Descriptors (DADs) Use PlsqlRequestValidationFunction to allow specified procedures Utilizing Secure Sockets Layer (SSL) Implemented using the HTTPS protocol – encrypts sent / received packets Prevents data from being sent over unprotected communication channel APEX Runtime-Only Environment Scripts provided to completely remove / re-install Application Builder Removes Web interface for administration and application development Setting Password Complexity Rules Can set multiple complexity rules / re-use rules across instance Using Session Timeout Set maximum session length and idle time for APEX developer log-ins

5. © 2009 Oracle Corporation Developer Best Practices Understand Items of type Password Don’t emit entered text to screen Should not save-state or should use Item encryption if saving to the DB Reports provided to identify at-risk Password items Using Zero as Session ID Critical for PUBLIC applications to ensure no cross-user contamination Session Id not included in application URL Cross-Site Scripting Protection Protect HTML Regions and other static areas Use &ITEM. notation to reference session state variables Select best Item types based on protection required Protect Dynamic Output Explicitly use escape code when emitting session state {e.g. htp.p(htf.escape_sc(v('SOME_ITEM'))); } Protect Report Regions References in headings and messages escaped based on Item type

6. © 2009 Oracle Corporation Developer Best Practices Session State Protection Clear session state of unneeded values using Clear Cache built-ins Enable Session State Protection to prevent URL tampering Set appropriate protection for Pages, Items and Application Items using built-ins Utilize Application Session Time-Outs Build public page for users to land on when session expired Set Maximum Session Length and Maximum Session Idle times Save State before Branching Use Branch checkbox to save session state values prior to branching Session state values will not be displayed in the Branch URL Saving sensitive Item values (e.g. SSN) Use Item checkbox to store value encrypted in session state Stores values encrypted in APEX session state table For storing sensitive data in the database should encrypt the table columns Encrypting table columns completely independent of APEX