Thursday 2 March 2023

Oracle APEX Security - APEX SERT for APEX 19.1, APEX 19.2, APEX 20.2, APEX 21.1, APEX 21.2, APEX 22.1, APEX 22.2

 

ORACLE APEX Security scanning - APEX SERT upgraded

Free and easy security scanning tool for your APEX apps

I am hoping by this time we are all on the same page - we should start putting more efforts as developers into securing our apps. 

From first days of APEX Advisor and Patrick's work on it till today I always had a sense that with all these new cool latest features I wished there was a bit more flavor added to security scanning especially in page designer area where we developers live. 

Please do not read this wrong - we all know out of the box APEX is safe as low code framework. We developers with lack of knowledge and awareness for security are making our apps exposed to different exploitation like SQL injection, XSS scripting etc. 

APEX team is doing an amazing job improving security within APEX to latest standards with every release, we all get and appreciate that, but my point here is more looking at the perspective of have a free built-in ability to security scan your applications as we are developing our apps without the need of a third party vendors. 

I am talking here about the tool that can be incorporated into every day development life cycles. No need to criticize a great job that has been done in APEX for past few years now.

For example I do my changes which I am happy with, I click a button similar to what I do when we let's say create a new PL/SQL process, we then let APEX check and warn us about any code not compiling or any errors found. So we have an immediate feedback that things need to be addressed and we all love this.  

APEX Advisor is a great tool but across the community it is simply not used. I am not going into why's but this is from my experience. And with security the more layers we have the better.  

Going back to the point...


It has been some time in the making but finally it is ready to be shared with you all. 

If you ever wanted to find that tool to help you make your APEX apps more secure here comes the good news. 

You may have came across a super handy free to use tool called APEX SERT hiding under https://github.com/OraOpenSource/apex-sert link. Not sure if you ever used it or heard of it but that does not matter at this stage.

About history of the project in short - it was a team effort lead by Scott Spendolini originally that has done a great job getting us to APEX 5 version. 

Unfortunately last commits on the project happened more than 5 years ago which can happen with open source project like this. 

To me it only means the contributors behind the idea have been super busy :D.  

Could we build on it and make it work again so it could then be used with the latest version of APEX? All fair questions especially if you knew that APEX SERT at the end is one big APEX app.

From time to time I have heard people talking that Oracle APEX team is using SERT as their tool of choice in some of the development work that is taking place at Oracle. Which made many of us thinking that original tool is far from being a dead as a product and far from just being left behind. That is by all means a good news for us all but why it has never ended being updated/uploaded back into original Git repo?

Looking closely somewhere down the comments etc you will find a version someone adjusted for APEX 18 but still you may experience some gotchas when try using it. 

If you ever used it and explored it, there is tons of things you can learn about APEX in general and security of your apps so I highly encourage you to give it a try. It is just another APEX app in its core. 

Idea here is not to take away but to actually share/contribute to this whole APEX  security community space. All credits got to the community and team effort that has supported APEX SERT from day one.

With that said here are all available APEX SERT versions:

These versions are still not committed or shared under original APEX SERT project simply due to lack of time. I was never sure how best to do this. :) 

Never say never so it may happen in months to follow depending on your feedback.

I would appreciate if you could provide feedback in case when you used one of the versions, especially if there are any bugs you found down the line.

As with all things, I encourage you to read original documentation to get the sense of what it is and how it works, then simply check ins_auto_setup.sql script which should basically do the installation in 'one click' and you should be ready to go.

Things have been optimized, simplified updated for each APEX release which should make it simple enough. 

My only 'ask' is please think of using it (if not APEX SERT then any other security tool on the market is equally as good) and do not hesitate to provide any feedback - good or bad. 



Happy APEXing,

SLino

7 comments:

  1. Thanks for sharing. Have you successfully installed this on RDS in AWS ? I note it requires administrative level access to the database and this may perhaps be hampered by RDS in AWS.

    ReplyDelete
    Replies
    1. I never tried this, you most likely need an account that had some admin privileges.....it would be really interesting to know if it would work even if we had to run some parts of installation manually. Worst case is nothing is stopping you importing app into your local VM/XE machine and running scans there.

      Delete
  2. Hmm, have you tried installing in OCI? I would love to see if it works there..

    ReplyDelete
  3. How do I explain to revion.com to install this version? They feel it is NOT production ready (WTH)?

    ReplyDelete
    Replies
    1. Well we tried giving them all they needed but they simply did not show enough of love.... or should we say support. ;)

      Delete
  4. After successful installation of the 22.1 version we are unable to access the application to create scans, it constantly returns the below error even after logging into the workspace:

    Your session has expired. Please login to your APEX Workspace again and re-launch APEX-SERT.

    ReplyDelete
    Replies
    1. You need to make sure ORDS rest service has been installed correctly in SERT schema. This is what typically would give you this error.

      Delete