"Do you know if Oracle or a third-party has verified how secure APEX is against threats or vulnerabilities? It would be nice to have something published saying how secure APEX is and how it’s never been compromised."Now I imagine smart people like David Litchfield or Pete Finnigan or Alexander Kornbrust would hope that I say something daft here. But that's not going to happen. As I replied to the partner:
Sorry, but this doesn't make sense, and for a couple reasons:
- There have been published security vulnerabilities in Application Express in the Oracle Critical Patch Update, and they have been fixed in subsequent releases of APEX. It is incorrect to say that there have never been bugs in APEX itself. Here's an example: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- Secondly, even if APEX never had any security bugs in its existence, if someone built an APEX application which is susceptible to SQL Injection or cross site scripting, does that mean that APEX was compromised?
I can offer you the following:
- APEX 5.0.3 is the most secure version of APEX in our history.
- APEX 5.0.3 has more security features than any release of APEX in our history.
- We are never permitted to release any version of APEX with known security vulnerabilities, whether they are internally or externally filed.
- We routinely scan APEX itself for security vulnerabilities across a variety of threats, and do this for multiple times in a release cycle
- Oracle Database Cloud Schema Service runs APEX, and has endured yet another set of multiple rounds of Cloud Security testing.
- The Oracle Store runs APEX.
- APEX is used in countless military agencies and classified agencies around the globe.
- Even inside of Oracle, IT hosts an instance of APEX used by practically every line of business in the company, and it's cleared for the most strict information classification inside of Oracle.
- APEX is even used in the security products from Oracle, including Oracle Audit Vault & Database Firewall, Oracle Key Vault and Oracle Real Application Security.