AT RECX we’ve been involved in the world of IT Security for more than a decade. We were
involved in some of the fi rst penetration tests performed in the UK, where large organizations and
government departments allowed ethical hackers into their networks to determine the risk they
faced from what are now known as cyber attacks.
As web applications rose in popularity around the turn of the century, we worked to develop tools
and tactics to assist in attacking sites for customers. As more content was placed within web-based
systems, this area of research grew almost in tandem with the number of real-world attacks that
were happening against Internet-facing websites.
In recent years, we became exposed to Oracle Application Express (APEX) and realized that there
was no single resource for developers on securing their APEX applications. We were able to break
into APEX applications in a myriad of ways after learning about the unique structure of the APEX
environment. But we had to learn from scratch why the security fl aws existed and how to explain to
developers the steps required to resolve the risks. We’ve collated this experience and advice into this
book to help any APEX developer create secure APEX applications.
Oracle APEX use is booming, and we’re seeing more Oracle customers choosing APEX for
presentation of their business data from the database. Some customers have hundreds of APEX
applications, ranging in complexity from simple data presentation and reporting through to complex
business process management and geospatial analysis. Many have serious security requirements and
need to ensure that their data is protected both from unknown parties operating on their networks,
and also their “trusted” users acting with malicious intent.
APEX is a great tool for rapidly getting raw data out of the database and into a familiar browser
environment for users. Whereas there is a gain in terms of functionality in this Rapid Application
Development (RAD) model, what we often see is a detrimental effect on security. That’s where Recx
comes in — we hope this book is useful for all levels of APEX developers to understand the common
risks faced by web applications, how they occur within APEX, and the simple steps required to
ensure applications are robust against attack.