top of page

Insider threat and Oracle APEX

  • Writer: Alex
    Alex
  • 6 hours ago
  • 3 min read
ree

What is insider threat?


Recently, we attended the Leeds Cyber Security Conference (a fantastic one-day event, but that's another story). This put security at the forefront of our minds, and we also conducted a series of interviews where various security-related questions were posed.

While the candidates did well to explain the answers a common one was "Our apps are internal and not public facing, we don't need to worry about security too much"....


This couldn't be much further from the truth.


  • Insider threats is one of the most overlooked security risks

  • They can come from anyone who has access to your applications. This could be employees, contractors and suppliers.

  • Organisations primarily concentrate on external attackers. However, in reality, insiders pose a significant risk, with some reports indicating that 70% of attacks originate internally.

  • As insiders already have network access firewalls and anti-virus wont stop them.

  • Organisations don't have clear visibility of who has accesses, users move roles and keep they accesses from privileged roles.

  • Organisations don't have logs of who, when and why users access systems.


How can Oracle and APEX help with insider threat?


  • Authentication

    • Built in Access control, use out the box authentication or build your own with custom functionality.

    • Integrate with federated identity providers using SAML 2.0 and OpenID Connect like Azure, Google and Okta etc, use there access controls with authentication and authorisation.

    • Each authentication scheme can be configured per application or shared between applications.

  • Authorisation

    • Use authorisation schemes to assign user roles and privileges.

    • Page level and component level access control like who can view a page, region, items, buttons, processes and more.

    • Use custom PL/SQL to enforce granular rules.

  • Session Protection

    • Session Timeout and Idle Timeout settings.

    • Session State Protection can encrypt sensitive data so only the user can see it and not anyone in the backend

  • SQL Injection and Cross-Site Scripting (XSS) Protection

    • Use bind variables (:P1_ITEM) instead of string concatenation.

    • Escape special characters in SQL and PL/SQL using APEX APIs like apex_escape.html().

    • Built-in HTML escaping of user-generated content in reports, forms, and items.

  • URL Tampering Protection

    • Checksum protected URLs prevent users changing the urls to see records they should not see or change values getting passed across.

    • Item level protection eg. Restricted - Must be from this application - prevent users from trying to set items other urls and javascript.

  • Auditing & Logging

    • APEX Activity Logs track user sessions, page views, and errors.

    • Turn on Oracle Database Auditing like unified audit.

    • Build custom audit tables to log data changes or access usage.

  • Database controls

    • VPD (Virtual Private Database) lets you make the same database table appear differently to different users, based on their identity, role or context.

    • Custom views with SQL predicate restrictions.

    • Use different schemas and grants to lock things down.

  • Tools to assist with identifying common problems

    • APEXSec - Fantastic paid for tool, which will scan your applications, score them and show you how to make security improvements.

    • APEX Sert - A free security scanning tool for APEX applications. Scan your APEX applications for security vulnerabilities , resolve them directly, and track your progress in making your application secure.

    • APEX Advisor - Built in functionality that everyone always seem to forget about. This will highlight common issues and take you to them to fix.

    • Sonarqube - Static code analysis tool, which automatically finds code quality and security issues, ensuring your software remains secure, maintainable, and production-ready.

    • All of the above can be implemented into CI/CD pipelines and automated to ensure no manual running of the tools. You can use these to check your apps before making a merge request.


Conclusion


In conclusion, insider risk is a genuine concern, and you shouldn't assume that your apps can be less secure just because they aren't public facing.

The points mentioned above are some of the measures you can take to enhance your application security.

For more information on how RADAPEX can enhance the security of your business apps, please contact us.


ree

 
 
bottom of page