Foreword

In May of 1999, Oracle Application Express was begun. I was the only direct report to a great visionary at Oracle Corporation, Michael Hichwa. His passion and creativity led to Oracle Application Express, and I’ve been proud to be directly involved in the development of this rich framework since day one. I’ve also had the pleasure to work directly with Scott Spendolini when he was a product manager on the Oracle Application Express team (in the “early years”). I credit Scott and the other product managers for making Oracle Application Express so successful. They were tireless in pitching and demonstrating Oracle Application Express to anyone who would listen. They helped to cultivate the APEX community, engaged them in social media, and ensured that the customer’s requirements and concerns were addressed in subsequent releases of Oracle Application Express. They authored countless tutorials, white papers, and presentations to help convince customers of the power and benefits of Oracle APEX.

Scott was so enthused with Oracle Application Express that he formed a company focused solely on Oracle Application Express solutions. He and his colleagues are directly responsible for the successful delivery of solutions for numerous, high profile, large-scale, and security-conscious customers. It is these repeated solutions and repeated security requirements that inspired Scott and his colleagues to author a tool to evaluate and identify possible security issues in Oracle Application Express applications. Scott has years of experience in understanding and assessing the myriad of security vulnerabilities that are possible in Web applications, and in Oracle Application Express environments, in particular.

For many years, it seemed as if security in software development was an afterthought. It was always “build it and assess later,” or as my father would always say, “there’s always enough time and money to do it right the second time.” But this mentality needs to change—security must be a part of the development process and everyone must be conscious of this during design, development, testing and maintenance. There should be a secure coding guidelines document. There must be rules, and equally important, there must be the ability to continually assess whether an application or code violates those rules. The knowledge and experience conveyed in this book will empower the reader to establish this understanding and mindset.

System and database administrators are tasked with setting up and managing Oracle Application Express environments, very often with little to no knowledge of APEX, how it works, how to monitor it, how to diagnose it, or how to secure it. To understand APEX is to understand the architecture, and Scott provides a very lucid and complete overview of the architecture of Oracle Application Express, how it’s organized, and why it is so efficient. Additionally, administrators of an APEX environment are provided with a wealth of options and controls to tweak the Oracle Application Express infrastructure. While the typical Oracle documentation will explain what something is, the chapter on instance settings also answers the anticipated questions of why you would want to change something.

How many security vulnerabilities are considered “too many” in an application? One hundred? Ten? Five? I live by the rule that one is too many for the Oracle Application Express framework, because all it takes is a single vulnerability to provide an entrance to a malicious hacker. Once the entrance is established, it can be used to exploit other deficiencies in your application environment. But before you can understand how to assess the security of an application, you first must understand what types of exploits can be perpetrated against an application and environment and how to protect against them. Scott does an excellent job of explaining the type of threats that are possible and conveys very practical solutions to combat these threats.

In 1999 when Oracle Application Express was begun, the <blink> tag was popular, dynamic generation of HTML Web pages was just becoming commonplace, SQL injection, cross-site scripting, and clickjacking were not in the vernacular, and no one really gave much thought to how hackers might gain access to a Web application. While Oracle Application Express has dramatically evolved to help new customers create secure Web applications out-of-the-box, APEX cannot prevent someone from introducing vulnerabilities in their applications. I am confident that the knowledge Scott conveys in this book will make developers and administrators alike quite complete in their understanding of these various types of threats, how to assess their APEX and database applications, and ultimately, instill the confidence in new and seasoned APEX developers that they can develop robust APEX applications both quickly and securely.

Joel R. Kallman
Director of Development, Oracle Corporation