Best Practices for APEX Production Implementation, Hardening and Security

Implementation
1. Deploy the Production system as a runtime system not as a developmental system, runtime systems are normally better performers, easier to migrate to, and by their nature they are more secure as the run-time environment does not have web-based administrative or builder components. 2. If AD is available use it as the authentication scheme in order to use AD Passwords policies, otherwise use APEX security with its security policies. 3. For easy/seamless development/production migration use consistent schema naming convention. 4. Create users in bulk via an APEX supplied wizard that accepts a comma separated list of emails, then you can choose to create the user names as the full email address or you can auto strip the domain so the user name created is simply the front part of the email address: Example: email address imported to create a user: alopez@dbaknow o Resulting user created as full address: alopez@dbaknow o Resulting user created with domain stripped off: alopez A single password will be generated for all users, but users will be asked to change their passwords the first time they login.

Hardening and Security

1. To avoid EAVESDROPPING (no needed if user are in As a minimum we need to establish SSL/HTTPS between the users and the HTTP server, we would need a Full fledge CA or a self-signed certificate Requirements for SSL certificates: a certificate file (PEM format) A key file (PEM format) A chain file (PEM format) which includes the root certificate A MS-Windows formatted certificate with all of the above in it. We would need to turn off all http traffic acceptance in APEX via the APEX control panel 2. To avoid URL Tampering turn on and configure APEX: Session State Protection (this adds a checksum to all URLS) 3. To avoid CROSS-SITE SCRIPTING (XSS) To prevent this from happening, special characters should be escaped. All editable fields should be changed to Display as Text (to escape special characters)

4. To avoid SQL INJECTION The solution to prevent SQL injection is to use bind variables in all SQL constructs that are dynamic in nature. When this is implemented, attempts to use SQL injection will result in No data found. Change from this: select "NR", "POS", "NAME" from "#OWNER#"."TEAM" where "POS"='PUBLIC' and "NAME" like '%&P1_X.%' To this: select "NR", "POS", "NAME" from "#OWNER#"."TEAM" where "POS"='PUBLIC' and "NAME" like '%'||:P1_X||'%' 5. To avoid ABANDONED SESSIONS: SESSION TIMEOUT By setting the session timeout at 8 hrs. And the idle timeout at 15 min., the exposure to these problems is mitigated. 8. OPERATING SYSTEM Ensure that the operating system is patched to reasonably current levels, especially as regards any security patches. Follow the principle of least privilege when granting access to the operating system. Lock or remove any accounts that are not needed by the application, especially demo accounts. Enforce policies regarding account aging and provisioning, as well as password strength, length and duration. Limit the population with access to high-level administrative accounts such as root or administrator. ORACLE DATABASE Ensure that the latest CPUs have been applied and that relevant security patches, especially for the Apex technology stack, are applied on a current basis. Follow the principle of least privilege when granting access or privileges to database user accounts. Enforce organizational policies concerning password strength, length and duration. Avoid, if possible, granting update privileges to tables within the purview of the Apex application. Use check constraints and referential integrity to ensure that only clean data goes into the database. APACHE WEB SERVER Remove preloaded modules and preinstalled content Dont publicize the names/versions of your software on error or other web pages: ServerSignature OFF ServerTokens PROD Keep patching up-to-date this component could be the likeliest point of entry for unauthorized users. NETWORK Because of easy URL access, consider opening the Apex port only to the departments, groups or subnets that will be accessing the application.