Skip to main content

New Book: Expert Oracle Application Express Security

I remember vividly meeting with Jonathan Gennick at RMOUG 2012 at the Apress booth.  As always, he asked if I was up for writing something APEX-related.  And as always, I politely declined, as I just had too much going on at the time.  However, before he let me leave the booth, he pledged that I didn't have to write something that was 800+ pages, and that a niche topic book that was "only" a couple hundred pages would work.  Time to reconsider.

Fast forward a year and change later, and finally, I'm happy to announce that Expert Oracle Application Express Security is now available for purchase (well, it has been for a while, and I'm just now getting around to posting this).  The book really did not take an entire year to write, but there were a couple of challenges that were thrown in along the way.  First of all, that night, we sat down with Enkitec and began discussion the acquisition plans.  So that was a bit of a distraction.  Also, I knew that at the time, APEX 4.2 was near release, and I wanted to ensure that I covered that release, so I had to actually write some of the later chapters first, and then circle back and complete the first ones last, since they contained more APEX 4.2-specific elements.  Throw in the daily trials and tribulations of two kids and their hectic schedules and eventually a new job with new responsibilities, and all that added up to why it took longer than many of us wanted.

But enough about the excuses, and more about the book!  The book contains 14 chapters, which range in topic from assessing a threat to preventing SQL injection to securing data at the database level.  I've summarized each chapter below:

Chapter 1 begins with a discussion of how to identify and assess threats to your applications.  It uses home security as an analogy when discussing this, since everyone already understands how to secure their home and has likely already taken steps to do so.  It then categorizes all threats into two categories: preventable and unpreventable, and briefly discusses examples of each 
Chapter 2 covers what a security plan is and how to implement one for your organization.  The main objective when creating such a plan is to first properly assess what the threats are, as specified in the previous chapter.  The security plan is an ever-changing document that has to adjust as threats do, and should be reviewed often. 
Chapter 3 provides an overview of the APEX architecture from a security perspective.  It starts by reviewing the Administration Console and how to configure Workspaces.  It then covers a bit of APEX architecture, as well as touches on the different options for the web listener tier. 
Chapter 4 outlines all of the Instance Settings that pertain to security, and what the implications of setting them improperly are. 
Chapter 5 does the same as the previous chapter, but does so at the Workspace level. 
Chapter 6 covers setting within an application that pertain to security.  It discusses them at the application, page and component level, as well as provides some advice when building mobile applications. 
Chapter 7 outlines the three main threats to an APEX application: SQL Injection, Cross Site Scripting and URL Tampering.  It illustrates example of each, as well as shows how to protect against them. 
Chapter 8 covers how User Authentication schemes work and how they can be better secured.  It also discusses the pros and cons of each type of scheme, as well as some commonly used APIs. 
Chapter 9 talks about Authorization Schemes and how they can be used throughout an application for access control purposes.  It also briefly covers the Access Control feature of APEX. 
Chapter 10 provides an alternate, more secure way to download CSV files from an APEX report.  It provides step-by-step instructions to implement this solution in your applications. 
Chapter 11 outlines a technique called Secure Views.  Secure Views can be used in conjunction with a database context to provide a more secure way to display your data at no additional cost, if you are not using the Enterprise Edition of the database. 
Chapter 12 is similar to the previous one, but it uses Virtual Private Database, which is a feature of the Enterprise Edition of the database. 
Chapter 13 illustrates a concept called Shadow Schema.  By using a limited privilege schema as your parse-as schema in an APEX application, you greatly increase the security of that application using this technique. 
Chapter 14 concludes with some examples of how using encryption in your application can increase the security of your data.
You can get the book online from Amazon here: http://www.amazon.com/Expert-Application-Express-Security-Experts/dp/1430247312/  Alternatively, if you'll be at OOW this year, we will be giving away copies at our booth in the exhibit hall.






Comments

Popular posts from this blog

Whose Deck is it Anyways?

This year at KScope, we're going to try something new.  And fun.  And funny to watch - we hope.  It's called "Whose Deck is it Anyways?", and will occur on Sunday at 8:30pm.  It's only 30 minutes, but it will likely be the best 30 minutes of the conference.  Or at least the most embarrassing.

Here's what we're going to do: the will be four 5-minute presentations - one on each of the following: BI, EPM, Database & APEX.

Sound interesting?  Probably not.  We get that, too.  So here's what we did.

Each 5-minute session will be presented by a non-expert.  For example, it's highly likely that I'll be presenting on BI or EPM.

To make it even better, each slide deck will be prepared by the corresponding expert.  So again, it's highly likely that my slide deck's creator will be either Stewart Bryson or Edward Roske.  If nothing else, this session will be a crash course in how not to make cohesive, easy to read slides.

Interested now?  Ya,…

Spaced Out

A while back, I wrote about how to give the Universal Theme a face lift.  If you follow the steps in that post, the base font for an APEX application with the Universal Theme can easily be changed.

While that's all well and good, sometimes you only want to change the font for a report, not the entire page.  One of the applications that I'm building contains a number of IRs based mostly on log data.  Thus, having that data in a monospaced font would make it a whole lot easier to read.

You can search Google Fonts for monospaced fonts by selecting only that option on the right-side menubar.  You can also opt for the standard yet kinda boring Courier and achieve the same thing.

To implement this in your application, follow the steps in my other post, but stop shy of the final step.  Instead of pasting in the text that I specify, paste in the following to the Custom CSS field in Theme Roller, using the name of the font you selected for the font-family:

.a-IRR-table tr td { font-fam…

#fakecode

Unless you've managed to somehow filter out everything about US politics over the last few months (and if you have, please let me know your secret), then you've likely heard about "fake news".  From a high level, my basic understanding of "fake news" is that it refers to stories or websites that are fabricated to advance the political beliefs and/or ideologies of one site or the other.  Your definition may differ.

So what is fake code?  That, I can at least try to explain in a bit more detail.

The other day, I saw this image posted on Kris Rice's twitter feed:



I thought it was a joke, but it's actually a real book. That made me laugh.  Then cry.  Then I read the book, mainly since it's only 4 pages.  Believe it or not,  there's actually some really good content packed in there.  Let me summarize:

If you choose to copy code from Stack Overflow, the OTN forum, or anywhere, really, there's a few things to keep in mind:


Who owns the code.  It…