Security Tips for APEX Applications

Simon HuntBEng(Hons) MSc PGCE MIET MCGI VR

simon@apextestautomation.co.uk

Small Print

The Threat Landscape

• Cyber Criminals

• Hacktivists

• Hackers

• Nation States

Or Is It This?

• Competitors

• Script Kiddies

• Employees

• Ex-Employees

I Don’t Need Security Because ….

We are not on

the Internet

I don’t have

any sensitive

data

Its just for Dev,

Test or Demos

We have

Accreditation,

VA or Pen Test

We have

Security Teams

to worry about

that

It costs too

much

I trust my Users

All the access

points have AV

installed

OWASP Top Ten

• A1 – Injection

• A2 – Broken Authentication

• A3 – Sensitive Data Exposure

• A4 – XML External Entities (XXE)

• A5 – Broken Access Control

• A6 – Security Misconfiguration

• A7 – Cross-Site Scripting (XSS)

• A8 – Insecure Deserialization

• A9 – Using Components with Known Vulnerabilities

• A10 – Insufficient Logging & Monitoring

APEX Common Vulnerabilities

SQL INJECTION CROSS-SITE SCRIPTING

URL TAMPERING

APEX Common Precautions

• Authorization Schemes

• Escape Markup

• Scanning (APEXSec, APEX-SERT, APEX Advisor)

• Fine Grain Access Control (VPD/OLS)

• Database Advanced Security - TDE, DV

• Vulnerability Assessments

Security Frameworks / ISMS

• NCSC Cyber Essentials

• IASME Governance

• NCSC Cyber Essentials Plus

• IASME GOLD

• ISO 27001

Top Tips

1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing8. Technical

NCSC “Secure By Default”

1. Built In, Not Added On

2. Treat Cause, Not Symptoms

3. Process, Not A Goal

4. Don’t Compromise Usability

5. Reliable

6. Evolving

7. Avoid Security Through Obscurity

8. Simple

“Defence In Depth”

Mutual Support Layering Security

APEX Workspace

Application Architecture

Application

Parsing Schema

Application

Application

Schema

Data

Schema

Users

Schema

GUID vs Sequences

Sequence

10020

10040

10060

10080

10090

GUID

93487593845939897845

00480353495309485393

03458923396566670000

85849493040959594003

95949300020033040506

Authentication

“Friends don’t let friends write authentication”

“Hackers don’t need to hack-in, they just need to log in."

70% 51%

Breaches from stolen

credentialsof people still reuse

passwords

Enterprise IDAM

1. Oracle Identity Cloud Services2. OKTA3. verify.gov.uk

Training

1. OWASP2. https://portswigger.net/web-security3. https://www2.owasp.org/www-project-juice-

shop/

Testing

APEX Test Automation

Top Tips Summary

1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing

#1 Content Security Policy (CSP)

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

• https://www.w3.org/TR/CSP3

• HTTP Response Header

• Current Release V2 – V3 Draft

• Supported Chrome 25, IE 10, FF 23, Opera 15, Safari 7

• XSS (By Restricting Domains)

• Packet Sniffing (By Restricting Protocols)

• Active or Passive• Content-Security-Policy

• Content-Security-Policy-Report-Only

#1 APEX CSP - Example

Content-Security-Policy-Report-Only:

report-uri (Deprecated?)

report-to

default-src 'self’

'unsafe-inline’

'report-sample’;

• https://www.apextestautomation.co.uk/ords/f?p=285

#1 CSP Violations

• https://devproext.com/addons/lnkr30_nt.min.js

• https://bugdepromo.com/addons/lnkr5.min.js

• https://godlinkapp.com/optout/set/lt

• https://loadsource.org/12345/validate-site.js

• https://www.ciuvo.com

• https://smartlink.cool/optout/get

• https://searches6880472-a.akamaihd.net

• https://hoholikik.club/geolocation/1657/

• https://arcadefungame.com/api/ul

#2 ICAP

• https://www.symantec.com/products/protection-engine

• Symantec Protection Engine For Cloud Services

• ORDS Configuration

• Prevent Hosting and Distribution Of Malware

• URL Filtering

• Advanced Machine Learning

• EICAR test file

#2 ICAP Screenshots

#2 ICAP Configuration

• AV Content & Scanning

• Insight

• URL Content & Reputational Filtering

• APK Reputation

• Tuning• File Types

• File Sizes

• Scan Time

#3 SSL One Way

Certificate Authority (CA)

https requestAccess Protected Resource

#3 SSL Two Way

Certificate Authority (CA)

https requestAccess Protected Resource

#3 Two Way SSL Issues

• Bulk Production of Certificates

• Distribution of Certificates• https://send.firefox.com

• Distribution of Passwords

• User Education• Installation of certificates

• Use of certificates

#4 HSTS

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

• What: Strict-Transport-Security

• Why: Prevents Man-In-The-Middle-Attack

• How: Blocks non-https connection by Domain

• Test: chrome://net-internals/#hsts

#5 Data Catalogue

• Use APEX to Catalogue Data

• Store Information in Database Comments

• Review for Business Use

• Review for Legal Basis (GDPR)

• Demo: https://www.apextestautomation.co.uk/ords/f?p=247

#6 2FA

• OTP Vs SMS Vs U2F

• HMAC OTP Authenticator App

• QR Code App or Free Desktop App (Win and Mac)

1. Included with the Authentication Service

2. Added to the upstream Authentication Service

3. APEX Authentication

#6 2FA Key Features

• SMS Session Code

• Display both QR Code AND Secret Key

• Add/Replace Devices

• Create a new key

#6 2FA SMS

#6 2FA Auth App

#7 Audit Downloads

• IR Download Warning

• Application Vs Database Triggered

• https://spendolini.blogspot.co.uk/2018/04/logging-apex-report-downloads.html

• Disable Browser Copy Function.t-Body{

-webkit-touch-callout: none; /* iOS Safari */

-webkit-user-select: none; /* Safari, Opera and Chrome */

-khtml-user-select: none; /* Konqueror */

-moz-user-select: none; /* Firefox */

-ms-user-select: none; /* Internet Explorer/Edge */

user-select: none; /* Non-prefixed version */}

#7 Audit Downloads

• On Page Load process where request in csv,rtf,xls

• Redirect to warning modal

• Cancel or Confirm

• Use APEX Views to check Personal / PII

• Use custom checksum to ensure the process is not hacked

#8 Download Encryption

• PDF Encryption in BI Publisher

• 128-bit AES Encrypted

#8 Download Encryption

#9 Personal Data Access Audit Forms

• After Header Process• Application ID

• Page ID

• PK ID

• Audit Type

• Username

• DTG

#9 Personal Data AccessAudit Reports

• DA After Report Refresh

• On True• PLSQL Code

• Check for sensitive columns

• Fire Audit

#10 WAF

1. Oracle Transport Security

2. Mod Security

• OWASP

• APEX Ruleset

Summary

1. Content Security Policy (CSP)

2. Internet Content Adaption Protocol (ICAP)

3. Transport Layer Security (TLS)

4. Transport Security Policy (HSTS)

5. Data Catalogue

6. Multi-Factor Authentication (2FA)

7. Audit Downloads

8. Download Encryption

9. Access Audit

10. Web Application Firewall …