security tips of apex applications...i don’t need security because …. we are not on the internet...
TRANSCRIPT
![Page 2: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/2.jpg)
Small Print
![Page 3: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/3.jpg)
The Threat Landscape
• Cyber Criminals
• Hacktivists
• Hackers
• Nation States
![Page 4: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/4.jpg)
Or Is It This?
• Competitors
• Script Kiddies
• Employees
• Ex-Employees
![Page 5: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/5.jpg)
I Don’t Need Security Because ….
We are not on
the Internet
I don’t have
any sensitive
data
Its just for Dev,
Test or Demos
We have
Accreditation,
VA or Pen Test
We have
Security Teams
to worry about
that
It costs too
much
I trust my Users
All the access
points have AV
installed
![Page 6: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/6.jpg)
OWASP Top Ten
• A1 – Injection
• A2 – Broken Authentication
• A3 – Sensitive Data Exposure
• A4 – XML External Entities (XXE)
• A5 – Broken Access Control
• A6 – Security Misconfiguration
• A7 – Cross-Site Scripting (XSS)
• A8 – Insecure Deserialization
• A9 – Using Components with Known Vulnerabilities
• A10 – Insufficient Logging & Monitoring
![Page 7: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/7.jpg)
APEX Common Vulnerabilities
SQL INJECTION CROSS-SITE SCRIPTING
URL TAMPERING
![Page 8: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/8.jpg)
APEX Common Precautions
• Authorization Schemes
• Escape Markup
• Scanning (APEXSec, APEX-SERT, APEX Advisor)
• Fine Grain Access Control (VPD/OLS)
• Database Advanced Security - TDE, DV
• Vulnerability Assessments
![Page 9: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/9.jpg)
Security Frameworks / ISMS
• NCSC Cyber Essentials
• IASME Governance
• NCSC Cyber Essentials Plus
• IASME GOLD
• ISO 27001
![Page 10: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/10.jpg)
Top Tips
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing8. Technical
![Page 11: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/11.jpg)
NCSC “Secure By Default”
1. Built In, Not Added On
2. Treat Cause, Not Symptoms
3. Process, Not A Goal
4. Don’t Compromise Usability
5. Reliable
6. Evolving
7. Avoid Security Through Obscurity
8. Simple
![Page 12: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/12.jpg)
“Defence In Depth”
Mutual Support Layering Security
![Page 13: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/13.jpg)
APEX Workspace
Application Architecture
Application
Parsing Schema
Application
Application
Schema
Data
Schema
Users
Schema
![Page 14: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/14.jpg)
GUID vs Sequences
Sequence
10020
10040
10060
10080
10090
GUID
93487593845939897845
00480353495309485393
03458923396566670000
85849493040959594003
95949300020033040506
![Page 15: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/15.jpg)
Authentication
“Friends don’t let friends write authentication”
“Hackers don’t need to hack-in, they just need to log in."
70% 51%
Breaches from stolen
credentialsof people still reuse
passwords
![Page 16: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/16.jpg)
Enterprise IDAM
1. Oracle Identity Cloud Services2. OKTA3. verify.gov.uk
![Page 17: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/17.jpg)
Training
1. OWASP2. https://portswigger.net/web-security3. https://www2.owasp.org/www-project-juice-
shop/
![Page 18: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/18.jpg)
Testing
APEX Test Automation
![Page 19: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/19.jpg)
Top Tips Summary
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing
![Page 20: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/20.jpg)
#1 Content Security Policy (CSP)
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.w3.org/TR/CSP3
• HTTP Response Header
• Current Release V2 – V3 Draft
• Supported Chrome 25, IE 10, FF 23, Opera 15, Safari 7
• XSS (By Restricting Domains)
• Packet Sniffing (By Restricting Protocols)
• Active or Passive• Content-Security-Policy
• Content-Security-Policy-Report-Only
![Page 21: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/21.jpg)
#1 APEX CSP - Example
Content-Security-Policy-Report-Only:
report-uri (Deprecated?)
report-to
default-src 'self’
'unsafe-inline’
'report-sample’;
• https://www.apextestautomation.co.uk/ords/f?p=285
![Page 22: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/22.jpg)
#1 CSP Violations
• https://devproext.com/addons/lnkr30_nt.min.js
• https://bugdepromo.com/addons/lnkr5.min.js
• https://godlinkapp.com/optout/set/lt
• https://loadsource.org/12345/validate-site.js
• https://www.ciuvo.com
• https://smartlink.cool/optout/get
• https://searches6880472-a.akamaihd.net
• https://hoholikik.club/geolocation/1657/
• https://arcadefungame.com/api/ul
![Page 23: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/23.jpg)
#2 ICAP
• https://www.symantec.com/products/protection-engine
• Symantec Protection Engine For Cloud Services
• ORDS Configuration
• Prevent Hosting and Distribution Of Malware
• URL Filtering
• Advanced Machine Learning
• EICAR test file
![Page 24: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/24.jpg)
#2 ICAP Screenshots
![Page 25: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/25.jpg)
#2 ICAP Configuration
• AV Content & Scanning
• Insight
• URL Content & Reputational Filtering
• APK Reputation
• Tuning• File Types
• File Sizes
• Scan Time
![Page 26: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/26.jpg)
#3 SSL One Way
Certificate Authority (CA)
https requestAccess Protected Resource
![Page 27: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/27.jpg)
#3 SSL Two Way
Certificate Authority (CA)
https requestAccess Protected Resource
![Page 28: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/28.jpg)
#3 Two Way SSL Issues
• Bulk Production of Certificates
• Distribution of Certificates• https://send.firefox.com
• Distribution of Passwords
• User Education• Installation of certificates
• Use of certificates
![Page 29: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/29.jpg)
#4 HSTS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
• What: Strict-Transport-Security
• Why: Prevents Man-In-The-Middle-Attack
• How: Blocks non-https connection by Domain
• Test: chrome://net-internals/#hsts
![Page 30: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/30.jpg)
#5 Data Catalogue
• Use APEX to Catalogue Data
• Store Information in Database Comments
• Review for Business Use
• Review for Legal Basis (GDPR)
• Demo: https://www.apextestautomation.co.uk/ords/f?p=247
![Page 31: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/31.jpg)
#6 2FA
• OTP Vs SMS Vs U2F
• HMAC OTP Authenticator App
• QR Code App or Free Desktop App (Win and Mac)
1. Included with the Authentication Service
2. Added to the upstream Authentication Service
3. APEX Authentication
![Page 32: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/32.jpg)
#6 2FA Key Features
• SMS Session Code
• Display both QR Code AND Secret Key
• Add/Replace Devices
• Create a new key
![Page 33: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/33.jpg)
#6 2FA SMS
![Page 34: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/34.jpg)
#6 2FA Auth App
![Page 35: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/35.jpg)
#7 Audit Downloads
• IR Download Warning
• Application Vs Database Triggered
• https://spendolini.blogspot.co.uk/2018/04/logging-apex-report-downloads.html
• Disable Browser Copy Function.t-Body{
-webkit-touch-callout: none; /* iOS Safari */
-webkit-user-select: none; /* Safari, Opera and Chrome */
-khtml-user-select: none; /* Konqueror */
-moz-user-select: none; /* Firefox */
-ms-user-select: none; /* Internet Explorer/Edge */
user-select: none; /* Non-prefixed version */}
![Page 36: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/36.jpg)
#7 Audit Downloads
• On Page Load process where request in csv,rtf,xls
• Redirect to warning modal
• Cancel or Confirm
• Use APEX Views to check Personal / PII
• Use custom checksum to ensure the process is not hacked
![Page 37: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/37.jpg)
#8 Download Encryption
• PDF Encryption in BI Publisher
• 128-bit AES Encrypted
![Page 38: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/38.jpg)
#8 Download Encryption
![Page 39: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/39.jpg)
#9 Personal Data Access Audit Forms
• After Header Process• Application ID
• Page ID
• PK ID
• Audit Type
• Username
• DTG
![Page 40: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/40.jpg)
#9 Personal Data AccessAudit Reports
• DA After Report Refresh
• On True• PLSQL Code
• Check for sensitive columns
• Fire Audit
![Page 41: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/41.jpg)
#10 WAF
1. Oracle Transport Security
2. Mod Security
• OWASP
• APEX Ruleset
![Page 42: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.vdocuments.us/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/42.jpg)
Summary
1. Content Security Policy (CSP)
2. Internet Content Adaption Protocol (ICAP)
3. Transport Layer Security (TLS)
4. Transport Security Policy (HSTS)
5. Data Catalogue
6. Multi-Factor Authentication (2FA)
7. Audit Downloads
8. Download Encryption
9. Access Audit
10. Web Application Firewall …