How to Make your Oracle Apex Applications Secure by Peter Lorenzo

Assumption : An apex appl. that is accessed over internet and contains data must be secured.

- Apex is secure but developers make it insecure :)
- XE is free but not patched, not an option for security needs
- use an http server which is known and supported
- "security is an architecture, no an appliance" Art Withan
- DMZ firewall between your Intranet and Internet, only http between DMZ and Intranet
- SSL to encrypt the comm. to apex since everything is text including passwords
- Critical path updates(CPU), patching should be a part of daily operations
- use checklists and adopt best practices, project lockdown by nanda at OTN
- if you are nusing apache as http server remove pre-loaded and pre-installed stuff
- give away as little as possible about yourself, servertokens prod - serversignature off
- cross site scripting - xss
- use display as text discarding special characters to aoid js injection, for pl/sql htf.escape_sc, use bind variables to avoid sql injection; '&P1_ENAME' => :P1_ENAME
- always validate user inputs, especially with NDS
- use Apex url with ssp checksum, apex_util.prepare_url to generate checksum from pl/sql
- always use session state protection
- disable administrator login/workspace login/restrict access by ip address/workspace password policy
- obfuscate the APEX_PUBLIC_USER password, use dad.Tool.pl
- web developer tool(a tool like firebug) has a feature which at client side change hidden items or select lists to freetexts, hobaaa!!
- use db security options to support apex
- on apex wiki "how to set ssl for oracle http server"
- http://tinyurl.com