Monday, June 09, 2014

Security Audit of WC2014Challenge

A few weeks ago I asked my friends at RecX to do a security audit of the World Cup 2014 Challenge app.  The result was a security assessment document which explained what they tested, an explanation why it was important and the results they found. I found it very interesting to see how other (security) people approach your code.

Here are the areas they went into:

Access Control

  • Hidden items
  • Item Protection
  • Page Access Protection
Configuration
  • Session Timeout
Cross-Site Scripting 
  • Column From LOV/Query (make use of )
  • Direct Output
  • Indirect Output
  • Report Column Display Type
  • Template Variables
Tip: make use of apex_escape.html, apex_escape.html_attribute, utl_url.escape

Data Protection 
  • Page Autocomplete
Tip: Ensure sensitive data is not held in the browser cache

Warnings
  • Direct URL
You can read more about security in their Hands-On Oracle Application Express Security book.

Thanks Nathan and Tim.

2 comments:

Dan said...

We use eSert from Enkitec and it is amazing what vulerabilities are uncovered from a security audit. All too often, security is an afterthought with developers... not any more for me!

Dimitri Gielis said...

I agree, anything is good; manual review of somebody else, automated review like tools like eSert and ApexSec help a lot in creating a secure environment...