security tips of apex applications...i don’t need security because …. we are not on the internet...
TRANSCRIPT
Small Print
The Threat Landscape
• Cyber Criminals
• Hacktivists
• Hackers
• Nation States
Or Is It This?
• Competitors
• Script Kiddies
• Employees
• Ex-Employees
I Don’t Need Security Because ….
We are not on
the Internet
I don’t have
any sensitive
data
Its just for Dev,
Test or Demos
We have
Accreditation,
VA or Pen Test
We have
Security Teams
to worry about
that
It costs too
much
I trust my Users
All the access
points have AV
installed
OWASP Top Ten
• A1 – Injection
• A2 – Broken Authentication
• A3 – Sensitive Data Exposure
• A4 – XML External Entities (XXE)
• A5 – Broken Access Control
• A6 – Security Misconfiguration
• A7 – Cross-Site Scripting (XSS)
• A8 – Insecure Deserialization
• A9 – Using Components with Known Vulnerabilities
• A10 – Insufficient Logging & Monitoring
APEX Common Vulnerabilities
SQL INJECTION CROSS-SITE SCRIPTING
URL TAMPERING
APEX Common Precautions
• Authorization Schemes
• Escape Markup
• Scanning (APEXSec, APEX-SERT, APEX Advisor)
• Fine Grain Access Control (VPD/OLS)
• Database Advanced Security - TDE, DV
• Vulnerability Assessments
Security Frameworks / ISMS
• NCSC Cyber Essentials
• IASME Governance
• NCSC Cyber Essentials Plus
• IASME GOLD
• ISO 27001
Top Tips
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing8. Technical
NCSC “Secure By Default”
1. Built In, Not Added On
2. Treat Cause, Not Symptoms
3. Process, Not A Goal
4. Don’t Compromise Usability
5. Reliable
6. Evolving
7. Avoid Security Through Obscurity
8. Simple
“Defence In Depth”
Mutual Support Layering Security
APEX Workspace
Application Architecture
Application
Parsing Schema
Application
Application
Schema
Data
Schema
Users
Schema
GUID vs Sequences
Sequence
10020
10040
10060
10080
10090
GUID
93487593845939897845
00480353495309485393
03458923396566670000
85849493040959594003
95949300020033040506
Authentication
“Friends don’t let friends write authentication”
“Hackers don’t need to hack-in, they just need to log in."
70% 51%
Breaches from stolen
credentialsof people still reuse
passwords
Enterprise IDAM
1. Oracle Identity Cloud Services2. OKTA3. verify.gov.uk
Training
1. OWASP2. https://portswigger.net/web-security3. https://www2.owasp.org/www-project-juice-
shop/
Testing
APEX Test Automation
Top Tips Summary
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing
#1 Content Security Policy (CSP)
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.w3.org/TR/CSP3
• HTTP Response Header
• Current Release V2 – V3 Draft
• Supported Chrome 25, IE 10, FF 23, Opera 15, Safari 7
• XSS (By Restricting Domains)
• Packet Sniffing (By Restricting Protocols)
• Active or Passive• Content-Security-Policy
• Content-Security-Policy-Report-Only
#1 APEX CSP - Example
Content-Security-Policy-Report-Only:
report-uri (Deprecated?)
report-to
default-src 'self’
'unsafe-inline’
'report-sample’;
• https://www.apextestautomation.co.uk/ords/f?p=285
#1 CSP Violations
• https://devproext.com/addons/lnkr30_nt.min.js
• https://bugdepromo.com/addons/lnkr5.min.js
• https://godlinkapp.com/optout/set/lt
• https://loadsource.org/12345/validate-site.js
• https://www.ciuvo.com
• https://smartlink.cool/optout/get
• https://searches6880472-a.akamaihd.net
• https://hoholikik.club/geolocation/1657/
• https://arcadefungame.com/api/ul
#2 ICAP
• https://www.symantec.com/products/protection-engine
• Symantec Protection Engine For Cloud Services
• ORDS Configuration
• Prevent Hosting and Distribution Of Malware
• URL Filtering
• Advanced Machine Learning
• EICAR test file
#2 ICAP Screenshots
#2 ICAP Configuration
• AV Content & Scanning
• Insight
• URL Content & Reputational Filtering
• APK Reputation
• Tuning• File Types
• File Sizes
• Scan Time
#3 SSL One Way
Certificate Authority (CA)
https requestAccess Protected Resource
#3 SSL Two Way
Certificate Authority (CA)
https requestAccess Protected Resource
#3 Two Way SSL Issues
• Bulk Production of Certificates
• Distribution of Certificates• https://send.firefox.com
• Distribution of Passwords
• User Education• Installation of certificates
• Use of certificates
#4 HSTS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
• What: Strict-Transport-Security
• Why: Prevents Man-In-The-Middle-Attack
• How: Blocks non-https connection by Domain
• Test: chrome://net-internals/#hsts
#5 Data Catalogue
• Use APEX to Catalogue Data
• Store Information in Database Comments
• Review for Business Use
• Review for Legal Basis (GDPR)
• Demo: https://www.apextestautomation.co.uk/ords/f?p=247
#6 2FA
• OTP Vs SMS Vs U2F
• HMAC OTP Authenticator App
• QR Code App or Free Desktop App (Win and Mac)
1. Included with the Authentication Service
2. Added to the upstream Authentication Service
3. APEX Authentication
#6 2FA Key Features
• SMS Session Code
• Display both QR Code AND Secret Key
• Add/Replace Devices
• Create a new key
#6 2FA SMS
#6 2FA Auth App
#7 Audit Downloads
• IR Download Warning
• Application Vs Database Triggered
• https://spendolini.blogspot.co.uk/2018/04/logging-apex-report-downloads.html
• Disable Browser Copy Function.t-Body{
-webkit-touch-callout: none; /* iOS Safari */
-webkit-user-select: none; /* Safari, Opera and Chrome */
-khtml-user-select: none; /* Konqueror */
-moz-user-select: none; /* Firefox */
-ms-user-select: none; /* Internet Explorer/Edge */
user-select: none; /* Non-prefixed version */}
#7 Audit Downloads
• On Page Load process where request in csv,rtf,xls
• Redirect to warning modal
• Cancel or Confirm
• Use APEX Views to check Personal / PII
• Use custom checksum to ensure the process is not hacked
#8 Download Encryption
• PDF Encryption in BI Publisher
• 128-bit AES Encrypted
#8 Download Encryption
#9 Personal Data Access Audit Forms
• After Header Process• Application ID
• Page ID
• PK ID
• Audit Type
• Username
• DTG
#9 Personal Data AccessAudit Reports
• DA After Report Refresh
• On True• PLSQL Code
• Check for sensitive columns
• Fire Audit
#10 WAF
1. Oracle Transport Security
2. Mod Security
• OWASP
• APEX Ruleset
Summary
1. Content Security Policy (CSP)
2. Internet Content Adaption Protocol (ICAP)
3. Transport Layer Security (TLS)
4. Transport Security Policy (HSTS)
5. Data Catalogue
6. Multi-Factor Authentication (2FA)
7. Audit Downloads
8. Download Encryption
9. Access Audit
10. Web Application Firewall …