We have noticed that even developers with the best of intentions can still end up with vulnerable APEX applications. That's why we're in the final stages of publishing a book that is going to cover the various classes of security risk we have experienced when securing high security APEX installations over the years.
All the examples are taken from real-world APEX applications, just sanitised and distilled to demonstrate particular areas of vulnerability. The book gives examples of vulnerable code and shows the correct way to fix your applications. We've submitted the technical content to the publishers and the edit is underway.
The structure so far breaks down into the four main areas of risk:
- Access Control - applying authentication and authorisation schemes, common pitfalls.
- Cross-Site Scripting - attacks and defences, encoding functions.
- SQL Injection - query syntax modification, impact of attacks, subtle differences between vulnerable and non-vulnerable PL/SQL code.
- Item Protection - classification of items and the protection each type required.
Learning through example is a great way to experiment with APEX security and equips developers with some of the tools and techniques used by attackers. By showing step-by-step how data can be accessed with SQL Injection or how users can be attacked with Cross-Site Scripting, developers will be made aware of attack techniques and understand how the defensive mechanisms of APEX can be used to protect their applications.
Most existing texts on APEX security are consigned to just a chapter within existing programming books or simplified to such an extent as to give a false sense of security. This book gets into the mindset of hackers and deep into the APEX framework to tackle the difficult world of security head-on.
We're proud to be working on this eBook with Wiley who publish the wonderful Web Application Hacker's Handbook, a must read for any web technology developer.
We're hoping to announce the release of our Hands-on Oracle APEX Security eBook in the coming months; watch this space!