Post on 30-May-2020
APEX-SERT Overview
Welcome
3 4
About Me
@sspendol
scott@sumnertech.com
About Sumner Technologies• Originally founded in 2005
– Purchased by Enkitec in 2012
– Enkitec purchased by Accenture in 2014
– Re-Launched in 2015
• Sumner Technologies provides world-class services and education for Oracle Application Express and Oracle Database Cloud
– Development, migration, health & security checks
5
Agenda• Overview
• About APEX-SERT
• Demonstration
• Q&A
6
Overview
7 8
Security is hard.If it’s easy, it’s likely wrong.
9
Security Budget Disparities
Before a Breach After a Breach
Most FundedMost Emphasized
10
NOT ENOUGH TIME
UNIMPORTANT DATA
INTERNAL ONLY STUPID USERS
NOT MY JOB
SMALL APP
REASONS WE IGNORE SECURITY IN OUR APPS
Recipe for Disaster• Given:
– The stresses of getting our applications released quickly
– The lack of time we have to do so
• Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix– If we only knew what they were and had the time...
11
About APEX-SERT
12
APEX-SERT• APEX-SERT:
APEX Security Evaluation & Recommendation Tool
• APEX application designed to evaluate and identify potential security issues in other APEX applications
– Support for APEX 4.2 & 5.0
• Installs once and can be accessed instantly from any workspace with existing developer credentials
• Now available as open source underGPLv3 license
13
How it Works• APEX-SERT evaluates your application’s
metadata for potential security issues
– Takes only a few seconds to run
• Result is an interactive APEX application that allows developers to easily explore and mitigate potential threats
– Each application is scored based on APEX-SERT’s findings
• Designed to clearly identify what needs attention and steer developers or managers in that direction
– Click on a defect to edit and remedy it
14
Vulnerabilities Addressed• APEX-SERT will look for 5 classifications of potential
vulnerabilities
15
URL Tampering
Cross Site Scripting
SQL Injection
Page Settings
Application Settings
Complete Evaluation• APEX-SERT evaluates all components of an
application, regardless of their condition & authorization scheme
– Nothing gets skipped
• APEX-SERT can be pre-configured with a set of valid values and rules–Which can be changed or augmented depending on your
interpretation or business needs
16
17
Security is not a product, but rather a process.
Ongoing Evaluation• APEX-SERT allows developers to add exceptions for
false positives and acceptable risks• All exceptions must be reviewed & approved by a manager
before the “approved” score increases
• As exceptions are logged, the value of the attribute in question is also captured
– If this value changes at any time, the exception will be instantly flagged as “stale” and require re-approval
18
Without APEX-SERT• Correcting each additional security vulnerability may cause
other functional issues– Thus, a high number of vulnerabilities corrected at once will yield
more functional defects and increase development time
19
Time
Vulnerab
ilities
Fixing issues here will likely break something else
• Using APEX-SERT to keep security vulnerabilities to a minimum reduces the number of functional defects introduced
With APEX-SERT
20
Time
Vulnerab
ilities
Preventing a high number of vulnerabilities ensures fewer defects introduced
Demonstration
21
Summary
22
“Yesterday, you said tomorrow”• With APEX-SERT, there is no longer an excuse to
ignore the security of your APEX applications– Installs & configures in minutes
– Totally integrated into the APEX builder
– Easy to lean and use
– Evaluations can be automated
– No license costs
23
Summary• APEX-SERT provides you with the ability to easily and
quickly identify and remedy most APEX security vulnerabilities– It is designed to be used throughout the development
process, not as a checkpoint at the end
– As a side-effect, your developers will become more security-conscious by using APEX-SERT and incorporate secure best practices by default
24
Availability• APEX 4.2
– Available today
– No new features; only bug fixes for supported customers
• APEX 5.0
– Available today
– Limited new features
• APEX 5.1– Available “Soon”
25
Downloads• All releases & source code available on GitHub:– https://github.com/OraOpenSource/apex-sert– Click on releases– Download & extract sert_050000.zip
• APEX-SERT home page via OraOpenSource:– http://oraopensource.com/apex-sert
26
Support• Sumner Technologies provides complete for-cost support
for APEX-SERT– Per-instance or per-site basis
• Contact us for details & pricing
– info@sumnertech.com
– http://www.sumnertech.com/apex-sert
– 703-722-1495
27
Q & A
28
29