Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet...
Transcript of Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet...
![Page 2: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/2.jpg)
Small Print
![Page 3: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/3.jpg)
The Threat Landscape
• Cyber Criminals
• Hacktivists
• Hackers
• Nation States
![Page 4: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/4.jpg)
Or Is It This?
• Competitors
• Script Kiddies
• Employees
• Ex-Employees
![Page 5: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/5.jpg)
I Don’t Need Security Because ….
We are not on
the Internet
I don’t have
any sensitive
data
Its just for Dev,
Test or Demos
We have
Accreditation,
VA or Pen Test
We have
Security Teams
to worry about
that
It costs too
much
I trust my Users
All the access
points have AV
installed
![Page 6: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/6.jpg)
OWASP Top Ten
• A1 – Injection
• A2 – Broken Authentication
• A3 – Sensitive Data Exposure
• A4 – XML External Entities (XXE)
• A5 – Broken Access Control
• A6 – Security Misconfiguration
• A7 – Cross-Site Scripting (XSS)
• A8 – Insecure Deserialization
• A9 – Using Components with Known Vulnerabilities
• A10 – Insufficient Logging & Monitoring
![Page 7: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/7.jpg)
APEX Common Vulnerabilities
SQL INJECTION CROSS-SITE SCRIPTING
URL TAMPERING
![Page 8: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/8.jpg)
APEX Common Precautions
• Authorization Schemes
• Escape Markup
• Scanning (APEXSec, APEX-SERT, APEX Advisor)
• Fine Grain Access Control (VPD/OLS)
• Database Advanced Security - TDE, DV
• Vulnerability Assessments
![Page 9: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/9.jpg)
Security Frameworks / ISMS
• NCSC Cyber Essentials
• IASME Governance
• NCSC Cyber Essentials Plus
• IASME GOLD
• ISO 27001
![Page 10: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/10.jpg)
Top Tips
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing8. Technical
![Page 11: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/11.jpg)
NCSC “Secure By Default”
1. Built In, Not Added On
2. Treat Cause, Not Symptoms
3. Process, Not A Goal
4. Don’t Compromise Usability
5. Reliable
6. Evolving
7. Avoid Security Through Obscurity
8. Simple
![Page 12: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/12.jpg)
“Defence In Depth”
Mutual Support Layering Security
![Page 13: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/13.jpg)
APEX Workspace
Application Architecture
Application
Parsing Schema
Application
Application
Schema
Data
Schema
Users
Schema
![Page 14: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/14.jpg)
GUID vs Sequences
Sequence
10020
10040
10060
10080
10090
GUID
93487593845939897845
00480353495309485393
03458923396566670000
85849493040959594003
95949300020033040506
![Page 15: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/15.jpg)
Authentication
“Friends don’t let friends write authentication”
“Hackers don’t need to hack-in, they just need to log in."
70% 51%
Breaches from stolen
credentialsof people still reuse
passwords
![Page 16: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/16.jpg)
Enterprise IDAM
1. Oracle Identity Cloud Services2. OKTA3. verify.gov.uk
![Page 17: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/17.jpg)
Training
1. OWASP2. https://portswigger.net/web-security3. https://www2.owasp.org/www-project-juice-
shop/
![Page 18: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/18.jpg)
Testing
APEX Test Automation
![Page 19: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/19.jpg)
Top Tips Summary
1. Secure By Default2. Defence in Depth3. Don’t put Data in your parsing schema4. Use GUIDs not Sequences5. Friends don’t let friends write authentication6. Get Wise7. Testing
![Page 20: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/20.jpg)
#1 Content Security Policy (CSP)
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.w3.org/TR/CSP3
• HTTP Response Header
• Current Release V2 – V3 Draft
• Supported Chrome 25, IE 10, FF 23, Opera 15, Safari 7
• XSS (By Restricting Domains)
• Packet Sniffing (By Restricting Protocols)
• Active or Passive• Content-Security-Policy
• Content-Security-Policy-Report-Only
![Page 21: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/21.jpg)
#1 APEX CSP - Example
Content-Security-Policy-Report-Only:
report-uri (Deprecated?)
report-to
default-src 'self’
'unsafe-inline’
'report-sample’;
• https://www.apextestautomation.co.uk/ords/f?p=285
![Page 22: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/22.jpg)
#1 CSP Violations
• https://devproext.com/addons/lnkr30_nt.min.js
• https://bugdepromo.com/addons/lnkr5.min.js
• https://godlinkapp.com/optout/set/lt
• https://loadsource.org/12345/validate-site.js
• https://www.ciuvo.com
• https://smartlink.cool/optout/get
• https://searches6880472-a.akamaihd.net
• https://hoholikik.club/geolocation/1657/
• https://arcadefungame.com/api/ul
![Page 23: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/23.jpg)
#2 ICAP
• https://www.symantec.com/products/protection-engine
• Symantec Protection Engine For Cloud Services
• ORDS Configuration
• Prevent Hosting and Distribution Of Malware
• URL Filtering
• Advanced Machine Learning
• EICAR test file
![Page 24: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/24.jpg)
#2 ICAP Screenshots
![Page 25: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/25.jpg)
#2 ICAP Configuration
• AV Content & Scanning
• Insight
• URL Content & Reputational Filtering
• APK Reputation
• Tuning• File Types
• File Sizes
• Scan Time
![Page 26: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/26.jpg)
#3 SSL One Way
Certificate Authority (CA)
https requestAccess Protected Resource
![Page 27: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/27.jpg)
#3 SSL Two Way
Certificate Authority (CA)
https requestAccess Protected Resource
![Page 28: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/28.jpg)
#3 Two Way SSL Issues
• Bulk Production of Certificates
• Distribution of Certificates• https://send.firefox.com
• Distribution of Passwords
• User Education• Installation of certificates
• Use of certificates
![Page 29: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/29.jpg)
#4 HSTS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
• What: Strict-Transport-Security
• Why: Prevents Man-In-The-Middle-Attack
• How: Blocks non-https connection by Domain
• Test: chrome://net-internals/#hsts
![Page 30: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/30.jpg)
#5 Data Catalogue
• Use APEX to Catalogue Data
• Store Information in Database Comments
• Review for Business Use
• Review for Legal Basis (GDPR)
• Demo: https://www.apextestautomation.co.uk/ords/f?p=247
![Page 31: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/31.jpg)
#6 2FA
• OTP Vs SMS Vs U2F
• HMAC OTP Authenticator App
• QR Code App or Free Desktop App (Win and Mac)
1. Included with the Authentication Service
2. Added to the upstream Authentication Service
3. APEX Authentication
![Page 32: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/32.jpg)
#6 2FA Key Features
• SMS Session Code
• Display both QR Code AND Secret Key
• Add/Replace Devices
• Create a new key
![Page 33: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/33.jpg)
#6 2FA SMS
![Page 34: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/34.jpg)
#6 2FA Auth App
![Page 35: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/35.jpg)
#7 Audit Downloads
• IR Download Warning
• Application Vs Database Triggered
• https://spendolini.blogspot.co.uk/2018/04/logging-apex-report-downloads.html
• Disable Browser Copy Function.t-Body{
-webkit-touch-callout: none; /* iOS Safari */
-webkit-user-select: none; /* Safari, Opera and Chrome */
-khtml-user-select: none; /* Konqueror */
-moz-user-select: none; /* Firefox */
-ms-user-select: none; /* Internet Explorer/Edge */
user-select: none; /* Non-prefixed version */}
![Page 36: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/36.jpg)
#7 Audit Downloads
• On Page Load process where request in csv,rtf,xls
• Redirect to warning modal
• Cancel or Confirm
• Use APEX Views to check Personal / PII
• Use custom checksum to ensure the process is not hacked
![Page 37: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/37.jpg)
#8 Download Encryption
• PDF Encryption in BI Publisher
• 128-bit AES Encrypted
![Page 38: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/38.jpg)
#8 Download Encryption
![Page 39: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/39.jpg)
#9 Personal Data Access Audit Forms
• After Header Process• Application ID
• Page ID
• PK ID
• Audit Type
• Username
• DTG
![Page 40: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/40.jpg)
#9 Personal Data AccessAudit Reports
• DA After Report Refresh
• On True• PLSQL Code
• Check for sensitive columns
• Fire Audit
![Page 41: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/41.jpg)
#10 WAF
1. Oracle Transport Security
2. Mod Security
• OWASP
• APEX Ruleset
![Page 42: Security Tips of APEX Applications...I Don’t Need Security Because …. We are not on the Internet I don’t have any sensitive data Its just for Dev, Test or Demos We have Accreditation,APEX](https://reader035.fdocuments.in/reader035/viewer/2022071420/6118e7614a4d9d6a0e16d910/html5/thumbnails/42.jpg)
Summary
1. Content Security Policy (CSP)
2. Internet Content Adaption Protocol (ICAP)
3. Transport Layer Security (TLS)
4. Transport Security Policy (HSTS)
5. Data Catalogue
6. Multi-Factor Authentication (2FA)
7. Audit Downloads
8. Download Encryption
9. Access Audit
10. Web Application Firewall …