Wednesday, 8 September 2010

Secure APEX

Yesterday I attended the ODTUG webinar "Securing APEX Development" by Scott Spendolini. Initially I thought it would be about the security features in APEX and how to use them. Scott surprised me pleasantly: he had a good story about the underestimation of (application) protection in general, but more important, he presented a solution that is so well thought and fits perfectly in a proper designed application.



I don't know if I will use this setup for all my (demo) applications (it requires some additional actions when building your data model) but when it is a serious production application I definitely think Scott's solution is a good Design Principle. This principle is also very usable for Java and .Net applications, where often an OBJECT_USER vs OBJECT_OWNER model is used. Although the OBJECT_USER usually already has limited privileges, Scott's solution goes further, making the connection setup as secure as possible.
Within APEX, most developers (including me) are tempted to assign the OBJECT_OWNER schema to the application's workspace, because we all think we do not need to worry about the way the connection pool in APEX is setup. Scott showed me I am wrong.

I learned a good lesson.

You can read about the webinar shortly on ODTUG's website.
I already found a pdf of the presentation on the UTah Oracle User Group site