Expert Oracle Application. Express Security. Scott Spendolini. Apress"



Similar documents
Management. Oracle Fusion Middleware. 11 g Architecture and. Oracle Press ORACLE. Stephen Lee Gangadhar Konduri. Mc Grauu Hill.

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

D50323GC20 Oracle Database 11g: Security Release 2

Expert PHP and MySQL. Application Desscpi and Development. Apress" Marc Rochkind

HOW TO MAKE YOUR ORACLE APEX APPLICATION SECURE Peter Lorenzen, WM-data a LogicaCMG company

Oracle Database 11g: Security Release 2

WebLogic Server 11g Administration Handbook

Oracle Database 11g: Security. What you will learn:

Oracle Application Express

Demystified CONTENTS Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals CHAPTER 2 Exploring Relational Database Components

How to Make Your Oracle APEX Application Secure

Oracle JDeveloper 10g for Forms & PL/SQL

Oracle Database 11g: Security

J j enterpririse. Oracle Application Express 3. Develop Native Oracle database-centric web applications quickly and easily with Oracle APEX

System Administration of Windchill 10.2

Big Data Analytics. Using Splunk. Peter Zadrozny. Raghu Kodali. Apress"

AppFabric. Pro Windows Server. Stephen Kaufman. Danny Garber. Apress. INFORMATIONSBIBLIOTHbK TECHNISCHE. U N! V En SIT AT S R!

SQL Server 2008 Administration

Implementing Database Security and Auditing

An Oracle White Paper June RESTful Web Services for the Oracle Database Cloud - Multitenant Edition

Beginning SQL Server Administration. Apress. Rob Walters Grant Fritchey

PL/SQL Programming Workbook

Securing Data on Microsoft SQL Server 2012

Data Security: Strategy and Tactics for Success

An Oracle White Paper June Security and the Oracle Database Cloud Service

Oracle EXAM - 1Z Oracle Database 11g Security Essentials. Buy Full Product.

MS-55096: Securing Data on Microsoft SQL Server 2012

Securing SQL Server. Protecting Your Database from. Second Edition. Attackers. Denny Cherry. Michael Cross. Technical Editor ELSEVIER

Pro SQL Server Reporting Services. Third Edition. mm m. Brian McDonald. Shawn McGehee. Rodney Landrum. Apress*

Beginning Oracle. Application Express 4. Doug Gault. Timothy St. Hilaire. Karen Cannell. Martin D'Souza. Patrick Cimolini

NetIQ Identity Manager Setup Guide

Oracle Database 11g Security Essentials

Oracle Database 11g: Security

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Workflow Administration of Windchill 10.2

Web Security Testing Cookbook*

Integrity 10. Curriculum Guide

Owner of the content within this article is Written by Marc Grote

Check list for web developers

Expert Oracle Enterprise

WebMarshal User Guide

Dealer Tutorial. Uplink Customer Service UPLINK 2010 Uplink Security, LLC. All rights reserved.

Pro NuGet. Second Edition. Maarten Balliauw. Xavier Decoster

Mastering Tomcat Development

Chapter 1 Web Application (In)security 1

Oracle Database 11 g Performance Tuning. Recipes. Sam R. Alapati Darl Kuhn Bill Padfield. Apress*

Installing Globodox Web Client on Windows Server 2012

Oracle Application Express and Oracle E-Business Suite. Love and Mariage!

JVA-122. Secure Java Web Development

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Information Technology Policy

Apple Pro Training Series. OS X Server. Essentials. Arek Dreyer. and Ben Greisler

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

Oracle Database Security

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Design and Implementation

Novell Access Manager

SECURITY DOCUMENT. BetterTranslationTechnology

REDCap General Security Overview

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

MOC Administering Microsoft SQL Server 2014 Databases

New Features... 1 Installation... 3 Upgrade Changes... 3 Fixed Limitations... 4 Known Limitations... 5 Informatica Global Customer Support...

Criteria for web application security check. Version

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Expert Oracle. Database Architecture. Techniques and Solutions. 10gr, and 11g Programming. Oracle Database 9/, Second Edition.

Practical ASRNET. Web API. Badrinarayanan Lakshmiraghavan. Apress*

05.0 Application Development

Database Security Questions HOUG Fehér Lajos. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Perceptive Experience Single Sign-On Solutions

REDCap Technical Overview

Oracle Fusion Middleware

Administering Microsoft SQL Server Databases MOC 20462

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Flexible Decision Automation for Your zenterprise with Business Rules and Events

Implementing and Administering an Enterprise SharePoint Environment

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

<Insert Picture Here> Michael Hichwa VP Database Development Tools Stuttgart September 18, 2007 Hamburg September 20, 2007

Training Guide: Configuring Windows8 8

Secret Server Qualys Integration Guide

Microsoft. Microsoft SQL Server Integration Services. Wee-Hyong Tok. Rakesh Parida Matt Masson. Xiaoning Ding. Kaarthik Sivashanmugam

IIS 6: The Complete Reference

Application Security Testing. Generic Test Strategy

Basic knowledge of the Microsoft Windows operating system and its core functionality Working knowledge of Transact-SQL and relational databases

W H IT E P A P E R. Salesforce CRM Security Audit Guide

Administrator's Guide

PARTNER INTEGRATION GUIDE. Edition 1.0

TIBCO BusinessConnect Trading Partner Administration. Software Release 6.0 November 2011

Oracle Single Sign-On

Onegini Token server / Web API Platform

BSM 9.0 ESSENTIALS. Instructor-Led Training

Business Administration of Windchill PDMLink 10.0

Application Security Policy

Procase Consulting. APEX 4.1 Introduction. Oleg Mochkin

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Release System Administrator s Guide

Transcription:

Expert Oracle Application Express Security Scott Spendolini Apress"

Contents Foreword About the Author About the Technical Reviewer Acknowledgments Introduction xv xvii xix xxi xxiii BChapter 1: Threat Analysis 1 Assessment 1 Home Security Assessment 1 Application Security Assessment 2 Data and Privileges 3 Types of Threats 4 Preventable 4 Unpreventable 6 Summary 6 Chapter 2: Implementing a Security Plan 7 What Is a Security Plan? 7 Assessment 8 Risk Analysis 8 Access Control 8 Data Access 9 Auditing and Monitoring Application Management Design 9 9 9 vii

Development 10 Contingency 10 Review and Revision 11 Security Reviews 11 Automated Reviews 11 Manual Reviews 12 Simulating a Breach 12 Summary 13 SChapter 3: APEX Architecture 15 Overview of APEX 15 Administration Console 17 Managing Requests 18 Managing Instances 19 Managing Workspaces 19 Monitoring Activity 19 Workspaces 20 Users and Roles 20 Schema Mappings 22 Components 22 Architecture 26 Metadata-Based Architecture 26 Schemas 27 Transactions 32 The f Procedure and WWV_FL0W.SH0W 32 The WWV_FLOW.ACCEPT Procedure 33 Session State 36 Infrastructure 38 Embedded PL/SQL Gateway 38 Oracle HTTP Server and mod_plsql 39 APEX Listener 39 Summary 40 viii

Chapter 4: Instance Settings 41 Overview 41 Runtime Mode 42 The Instance Administration API 43 The Instance Administrator Database Role 43 Other Options 44 Configuration and Management 44 Manage Instance Settings 45 Feature Configuration 47 Security 48 Instance Configuration Settings 56 Session State 60 Logs and Files 62 Messages 63 Self Service Sign Up 64 Manage Workspaces 64 Create Workspace 65 Create Multiple Workspaces 68 Remove Workspace 70 Lock Workspace 71 Manage Workspace to Schema Assignments 72 Manage Developers and Users 73 Manage Component Availability 75 Export and Import 76 View Workspace Reports 76 Manage Applications 78 View Application Attributes 78 Monitor Activity 80 Realtime Monitor Reports 80 Archived Activity Reports 87 Dashboard Report 87 Summary 88 ix

Chapter 5: Workspace Settings 89 Manage Service 89 Service Requests 90 Workspace Preferences 91 Manage Meta Data 92 Manage Users and Groups 94 User Types 95 Managing Users 96 Managing Groups 98 Monitor Activity 99 Workspace Management Best Practices 100 Summary 100 Chapter 6: Application Settings 101 Application Settings 101 Definition 101 Security Attributes 108 User Interface 117 Page and Region Settings 118 Page Settings 118 Region Settings 124 Report Settings 126 Mobile Applications 127 Hesitancy Toward Corporate Adoption 127 Mobile Considerations for Security 127 Summary 128 Chapter 7: Application Threats 129 SQL Injection 129 Anatomy of an Attack 130 SQL Injection in APEX 133 Bind Variable Notation and Dynamic SQL in APEX 136 x

Cross-Site Scripting 139 Anatomy of an Attack 140 Reflexive Attacks 140 Persistent Attacks 143 Sanitizing Data 144 Restricted Characters 145 APEX_ESCAPE 145 Column Formatting 146 Escaping Regions and Items 151 Protecting Cookies 152 Frames 152 URL Tampering 153 Authorization Inconsistencies 153 Page and Item Protection 154 Virtual Private Database and Secure Views 157 Summary 158 Chapter 8: User Authentication 159 Types of Authentication Schemes 159 Application Express Users 160 Database Accounts 160 HTTP Header Variable 160 LDAP Directory 162 No Authentication (Using DAD) 162 Open Door Credentials 163 Oracle Application Server Single Sign-On 163 Custom 163 APIs for Custom Authentication 165 Common Authentication Scheme Components 166 Source 166 Session Not Valid 167 Login Processing 167 xi

Post Logout URL 168 Session Cookie Attributes 168 Mechanics of Authentication 169 The Login Page 169 Login Page Processes 170 Logging Out 174 Summary 175 Chapter 9: User Authorization 177 Authorization Schemes 177 Implementing Authorization Schemes 179 Role Location 179 Table-Based Roles 179 Gatekeeper Authorization Scheme 180 Page-Level Authorization Schemes 180 Authorization Inconsistencies 182 APEX Access Control 183 Summary 184 Chapter 10: Secure Export to CSV 185 APEX Export Options 185 Maximum Row Count 185 Column Restrictions: Standard Reports 187 Column Restrictions: Interactive Reports 187 Custom Export to CSV 188 Restricting Records with ROWNUM 188 Restricting Records with PL/SQL 190 Summary 200 xii

Chapter 11: Secure Views 201 The View 201 Secure View Components 202 Application Contexts 203 PL/SQL Procedure 203 Secure View SQL 204 Security Attributes 206 Benefits and Drawbacks 208 Summary 209 Chapter 12: Virtual Private Database 211 The Evolution of Data 211 VPD Basics 212 Integration with APEX 212 VPD Policy Function 213 Column Masking and Obfuscation 215 Managing VPD in Oracle Enterprise Manager 222 Summary 223 Chapter 13: Shadow Schema 225 Overview 225 Components 226 Database: Schema and Object Creation 226 Data Schema: Views 228 Revoke Privileges 229 System and User Event Trigger 230 APEX: Simple Form and Report 231 DML APIs and Processes 232 Grants and Synonyms 238 Table API Processes 238 xiii

Securing Data 242 Application Context 242 244 Views Synonym PL/SQL Initialization Code Summary Chapter 14: Encryption Encryption HTTPS APEX HTTPS Settings 244 245 246 247 247 248 251 InstanceAdmin Console and Application Development Environment 251 Applications APEX Item Encryption Data Encryption DBMS_CRYPTO 251 252 255 255 Encrypted Collections 256 Example Advanced Security Option 257 262 Transparent Data Encryption 263 Network Encryption Summary 263 263 Index. 265 xiv

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information