Security in information technology is more critical today than it ever has been. Breaches are unfortunately all too common. As an APEX developer, securing your applications falls squarely on your shoulders. However, often times security becomes an afterthought; if it gets addressed at all. For this reason, we developed eSERT. eSERT is an APEX application that quickly evaluates your APEX applications for common security vulnerabilities and provides step-by-step instructions on how to mitigate them. eSERT is not just an evaluation tool, but it’s also designed to be used by your developers during your development process, as it has complete integration with the APEX development environment. Whether you have a single APEX application or hundreds of them, eSERT can help ensure you that they are as secure as they can possibly be.
3. About Enkitec
Oracle Platinum Partner
Established in 2004
Headquartered in Dallas, TX
Locations throughout the US & EMEA
Specialties include
Exadata Implementations
Development Services
PL/SQL / Java / APEX
DBA/Data Warehouse/RAC
Business Intelligence
3
4. Sumneva Acquisition
On June 22nd, 2012, Enkitec acquired Sumneva
sumnevaSERT now called eSERT
sumnevaFramework now called eFramework
Enkitec is as committed as ever to APEX products,
services & training
eSERT v2
eSERT Cloud
At least two more products for APEX developers in CY2012
4
7. Insecurities
We live in a time where the security of data is
the most emphasized yet least practiced thing
It is almost impossible to keep up with how many
sites have been compromised anymore
Unfortunately, adding security to our
applications is almost always
event driven or reactive
7
8. Customer Demand
Despite this, we’re all tasked with quickly
developing applications for our customers/
clients
Often times, we take
shortcuts and leave
out things, like security
Not because we want to,
because we have to
8
9. Excuses, Excuses...
We make many, many excuses to ourselves as to
why we didn’t adequately secure our
applications:
Not enough time
No one cares about the
data/application
It’s “internal only”
Our users are not smart
enough to do anything
malicious
False sense of security
9
10. Recipe for Disaster
Given:
The stresses of getting our applications released quickly
The lack of time we have to do so
Our applications - APEX & otherwise - are likely
to have potential security vulnerabilities that
we could easily fix
If we only knew what they were and had the time...
10
12. eSERT 2.0
eSERT:
Security Evaluation & Recommendation Tool
APEX application designed to evaluate and identify
potential security issues in other APEX applications
Supports both APEX 4.0 & 4.1
APEX 4.2 support shortly after release
Oracle Database 10gR2 or later
Runs in and is integrated with
your APEX Workspace
Single Workspace Install in eSERT 2.1
Designed to be a part of your
development process
12
13. How it Works
eSERT evaluates your application’s metadata for
potential security issues
Takes only a few seconds to run
Result is an interactive APEX application that
allows developers to easily explore and mitigate
potential threats
Each application is scored based on eSERT’s findings
Designed to clearly identify what needs attention
and steer developers or managers in that
direction
13
14. Classifications
eSERT inspects APEX applications and reports on
threats in five classifications:
URL Tampering App Settings
Cross Site Scripting Page Settings
SQL Injection
14
15. Scoring
Evaluations in eSERT will produce three scores:
Raw
Actual results of the evaluation
Pending
Raw score plus any exception - approved or not - that developers have
put in place to justify existing threats
Approved
Raw score plus all approved exceptions
15
16. Results
eSERT will assign a status & color code to every
component which it evaluates:
Pass
Approved
Pending
Fail
Rejected
Stale
16
17. Complete Evaluation
eSERT evaluates all components of an
application, regardless of their condition &
authorization scheme
Nothing gets skipped
eSERT can be pre-configured with a set of valid
values
Which can be changed or augmented depending on your
interpretation or business needs
17
19. Ongoing Evaluation
eSERT allows developers to add exceptions for
false positives and acceptable risks
All exceptions must be reviewed & approved by a
manager before the “approved” score increases
As exceptions are logged, the value of the
attribute in question is also captured
If this value changes at any time, the exception will be
instantly flagged as “stale” and require re-approval
19
20. Without eSERT
Correcting each additional security vulnerability
may cause other functional issues
Thus, a high number of vulnerabilities corrected at once
will yield more functional defects
Vulnerabilities
Time
2007 2008 2009 Untitled 1
Untitled 2
20
21. With eSERT
Using eSERT to keep security vulnerabilities to a
minimum reduces the number of functional
defects introduced
Vulnerabilities
Time
2007 2009 Untitled 1
21
22. New Features Summary
Feature Version 2.0 (APEX 4.0) Version 2.1 (APEX 4.1)
Exceptions & Notations ✓ ✓
Social Stream ✓ ✓
Enhanced UI ✓ ✓
PDF Reports ✓ ✓
Import/Export ✓ ✓
Scheduled Evaluations ✓
Single Workspace Install ✓
SaaS (eSERT Cloud) Cloud Only
22
25. eSERT Cloud
eSERT cloud is a affordable hosted service where
anyone can upload their APEX applications and
get an instant security evaluation via eSERT
Interactive Dashboard with summary results
PDF Summary Report (typically 100+ pages)
25
26. How it Works - 5 Simple Steps
1) Create an account at http://enkitec.com/sert
2) Request a workspace to upload your APEX
applications into
3) Purchase evaluation credits
(1 credit = 1 application evaluation)
4) Select an application to evaluate
5) View and/or download the results
26
29. Summary
eSERT provides you with the ability to easily and
quickly identify and remedy most APEX security
vulnerabilities
Its designed to be used both during and after
development, not as a checkpoint at the end
As a side-effect, your developers will become more
security-conscious by using eSERT and incorporate secure
best practices by default
29
30. Customers Across All Industries
Private Sector Public Sector
Multi-Channel Retailer Intelligence Agency
Massive application with Over 300 Over 100 internal applications
Concurrent Users
Local Government
Major Defense Contractor
Internal Applications
Hundreds of applications
Civilian Agency
Major Healthcare Provider
Internet Facing
Infrastructure Management e-Commerce Application
Higher Education DOD Agency
Logistical Reports & Info
Multiple Major Universities
Access to student & research
information
30
31. Statement of Direction
Version 2.2 - Q4 2012
APEX 4.2 Support
Based on actual release date
Additional Reports & Analytics
Scheduled Evaluation Enhancements
Team Development Integration
31
32. Licensing
eSERT
Per Instance of APEX
Per APEX Workspace
Per APEX Application
eSERT Cloud
Per Evaluation of an Application
Volume discounts available
32
33. Want More Details?
Contact us for details & pricing
sales@enkitec.com
Americas
+1 972 607 3751
EMEA
+44 7944 654510
http://www.enkitec.com/sert
33
Welcome to the sumnevaSERT demonstration. sumnevaSERT is an APEX-based tool that evaluates your APEX applications for common security vulnerabilities and provides the requires steps to fix them.\n
\n
\n
\n
\n
\n
here millions of e-mail addresses and their corresponding owner names were compromised.\n\nMost, if not all of these events could have been prevented. However, we live in a reactive society; we don’t make changes until the breach occurs, which is always too late.\n
In today’s world, our customers expect quick turnaround for all things IT - including the applications which we’re all charged with developing. This pressure falls squarely on our shoulders, and we often knowingly take shortcuts that we know are wrong, as that’s the only way we can meet our deadlines.\n
Unfortunately, we have all become quite the experts at making excuses for taking these shortcuts:\n - Not enough time\n - No one care enough about the application to steal the data\n - It’s internal only - which is the biggest threat, since most data is stolen from authorized users\n - Our users can barely use the system, let alone hack it. But what you may not be considering is their willingness to give their credentials to someone who can hack it\n - We run Oracle, Oracle is secure, thus our applications are secure\n
All of these excuses spell out a recipe for disaster. Given the stresses that we’re under combined with the lack of time we have to complete our development, its not only possible - but probable that our applications - APEX & otherwise - have security vulnerabilities that we could easily fix - if we only had the time to identify them.\n
\n
This is why we developed sumnevaSERT - which stands for Security Evaluation & Review Tool. sumnevaSERT is designed to quickly evaluate & identify common security vulnerabilities in your APEX applications. \n\nIt will run on both APEX 3.2 & 4.0, and support any edition of the Oracle Database, as long as it’s 10gR2 or greater.\n\nIt can even be completely customized to meet your organization’s specific security and/or QA requirements.\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
sumnevaSERT will not secure everything. It is simply a layer in your security plan. But it’s a powerful layer, as the threats that it will identify and help you mitigate will make your APEX applications much more secure.\n\nYou’ll still need a strong overall security policy, which should include but not be limited to strong passwords, physical access control, code audity and security best practices.\n
\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
\n
\n
\n
Thank you for taking the time to watch this overview of sumnevaSERT. Please visit sumneva.com for more information on our services.\n